Information security executives from leading Irish organisations have identified the security of company wireless networks as one of their top concerns, according to a new Ernst & Young survey.
Once fiddly and complicated to create, wireless networks are now so easy to set up that many companies have discovered someone has installed one without the information technology department even knowing about it, according to Mr Pat Moran, director, technology and security risk practice at Ernst & Young Ireland.
In addition, the default setting for many "out of the box" networks is with security settings turned off, he said.
"We've also seen many organisations put in this kind of network, and worry about the security afterwards," he said.
One statistic from the survey bears this out: while 54 per cent of organisations said "security fears" were the main reason they would not be implementing or improving a wireless network, the same percentage revealed they already had put one in.
Nonetheless, wireless access is becoming hugely popular. Some 95 per cent of laptops will ship with wireless access capability by next year, according to telecommunications equipment supplier Nortel Networks.
Unsecured networks can be easy to "sniff" - that is, for potential intruders to locate, using special "sniffing" software that scans for open networks. Any user can then log on to the network and start using its bandwidth.
More worryingly, once on the network, an intruder can use an array of software tools to suck data in that are passing over the network, gaining access to other users' passwords and login names, see Web pages being viewed, or grab sensitive documents.
Using logins and passwords, an intruder can even jump from the wireless network into the main corporate network.
At a security conference in Naas last autumn, a 30-second "sniff" of the wireless network set up for the event produced three separate sets of authentication credentials to gain email access, the report notes.
Even public wireless access "hotspots" aren't necessarily safe for users. Software is available for hackers to create a fake site that looks like the official hotspot access logon site. As a user enters access details, they are captured for use by the fake site provider.
One well-known UK bank found someone had installed such a "rogue" access point inside a ceiling air conditioning duct and was using it to grab user names and passwords, and perhaps to steal customer credit card information and account details, according to the report.
To prevent such access, organisations should encrypt (encode) data passing over a wireless network. In addition, any organisation putting in a wireless access network (WAN) should place it outside the corporate firewall - but behind its own WAN firewall, Mr Moran said.
New wireless protocols will soon make it much easier to secure WANs, he said.
Despite security concerns, "wireless is definitely here to stay", said Mr Moran. "Because it is so simple and cheap to deploy, it suits a lot of organisations."
