Employees are accessing sensitive company information via unprotected public Wi-Fi hotspots, according to a new survey that found public Wi-Fi usage rose significantly over the last year.
The study, conducted by the by the Identity Theft Resource Center (ITRC), surveyed 377 people and found more than half (57%) used public Wi-Fi hotspots to access confidential work-related information. The online survey was commissioned by Sherman, Conn.-based Private Communications Corporation, a seller of virtual private network (VPN) software.
Public Wi-Fi usage has gone up 240% in the past year, but 44% of respondents weren't aware of a way to protect their information when using a hotspot. In addition, 60% of those surveyed indicated they were either concerned or very concerned about their security when using a public hotspot. Experts have pointed out that the rapid increase in public hotspots is associated with the growing use of smartphones and tablet devices.
Security researchers have demonstrated how easy it is for an attacker to target users of open Wi-Fi hotspots, sniffing unencrypted traffic to view sensitive data, such as email and social networks. A Mozilla Firefox plugin called Firesheep made the attacks more widely available, automating the process of monitoring and analyzing traffic.
A VPN encrypts information traveling between a user's computer and the provider's remote network. Large organizations often provide a VPN to protect employees, typically maintaining a VPN appliance to handle a high load of traffic, but security expert Lisa Phifer, president of Core Competence Inc. in Chester Springs, Pa., said they are useful for companies of all sizes.
Companies have tried other solutions with little success, Phifer said. One example is when an organization prohibits employees from adding new network names to corporate laptops. This technique does not help with employee-owned devices, however, and it is unpopular with employees.
To make sure their employees use the VPN, companies can stop employees from using business services on their personal laptops or mobile devices, unless they log on to a VPN.
"That doesn't stop users from doing other risky things [when not logged in]," Phifer said.
Kent Lawson, CEO and founder of Private Communications Corporation, said security experts have been warning about the growing concern of open and often poorly protected Wi-Fi threats.
"People are aware in their tummies that when they use hotspots they're doing something risky," Lawson said. "But they don't know there's a solution."
Lawson said individuals and small businesses can also use a VPN to ensure secure browsing. Critics of personal VPN's say they could slow machines down. Lawson said while the VPN is encrypting and then decrypting information as it travels between a machine and the network, the process runs in the background and does not have a noticeable affect for the ordinary worker using Wi-Fi to surf the Web and check email.
"I would not recommend using a VPN if you're about to download a two-hour HD movie," he said.
Phifer said a VPN can use up battery life faster on smaller devices, but performance of applications on the device is not impacted.
Another complaint with VPNs is that the process of logging on is too time-consuming, Phifer said. In many cases, users have to log on to a hotspot and log on to their VPN before they can access the Internet.
"A great deal of it is because of the expediency," Phifer said of the tendency for users to ignore the fact that they are not protected when using public Wi-Fi. Additionally, Phifer said people do not believe five minutes on a public network will expose them to any harm.
Using HTTPS encryption for protection
Another option for securing information when logged on to public Wi-Fi is to use HTTPS encryption when browsing. Lawson, however, believes using HTTPS does not provide enough security.
"It's spotty. Some sites are secured and some aren't. Some only secure during login," he said.
Security researchers have also developed an attack tool, the Browser Exploit Against SSL/TLS, that breaks the encryption.
VPN protection is limited
A VPN only addresses the lack of encryption when using public Wi-Fi, so users need to take further steps to ensure a secure browsing experience, Phifer said. In addition to a VPN, a firewall is important because it protects against others on the network viewing a user's shared files. Users should also be aware of an "evil twin," a fake access point with the same network name of a real access point. While there is not a clean fix for an evil twin, Phifer said users should be aware of where they are connecting.