What’s the Wi-Fi Password?
When was the last time your organization changed its wireless password? Do you change it weekly, monthly, annually … never? Do you share it with guests or vendors so they can access the internet while they’re in your building? Are previous employees still able to access your network because they know the password?
Wireless access has become such a baseline standard for modern organizations, we don’t often think about it—unless it isn’t working. But keeping access to your network secure is critical to protecting any data in it.
Shared passwords, though common among smaller organizations and convenient in this age of BYOD (Bring Your Own Device), pose a major security risk for organizations, allowing any individual who has that password unfettered entry into your business.
A much safer option: moving to a more secure authentication method, specifically WPA2-Enterprise (“Wi-Fi Protected Access”). The latest security protocol developed by the Wi-Fi Alliance—yes, there is such a thing—WPA2-Enterprise uses a strong encryption method to encrypt data transmitted over the air. It’s specifically designed for use by organizations (not home users) and can either prompt users for their username/password to authenticate their access to the wireless network or automatically authenticate access via certificates from the server.
The Weakest Links
Switching to WPA2-Enterprise technology for your wireless authentication offers protections against many common weaknesses of a wireless network accessed via a shared password, including:
- Spoofing of, or duplicating, the company’s SSID (“Service Set Identifier,” more commonly known as the wireless network name), an effort to get users to connect to a fake network.
- No granular control over which individuals can access the network.
- Employees that no longer work for the company but still know the password and can still connect.
- Individuals accessing the wrong network—for example, a vendor connecting to the trusted wireless network instead of a guest network or a restricted vendor network.
Implementing WPA2-Enterprise for advanced wireless security does require a bit more infrastructure: a RADIUS server, which authenticates network users’ access, and PKI (“Public Key Infrastructure”) technology, a form of internet encryption, are both required. But the payoff far exceeds the cost.
Rehmann can help implement this technology and, once configured, it mostly runs in the background and requires only normal server maintenance.
How WPA-2 Works: The Techie Details
The wireless controller or access point will authenticate a user/workstation based on the user having the correct certificate, which can be managed automatically through your organization’s Active Directory via Group Policy or through Intune in Microsoft’s cloud. The end device will use the certificate to confirm that it’s connecting to the correct wireless network and not a spoofed network trying to appear as the trusted company network.
WPA-2 Enterprise can also be implemented with user authentication, wherein each individual user will have their own username and password to access the network. The server certificate is still verified by the end device to ensure the network to which the user connects is trusted.
Warning: Personnel with Personal Devices
While we’re on the topic of wireless security, now is a good time to remind you that all employees with personal devices should be connecting those devices to a separate guest wireless network; not the company network.
When working in smaller network environments, Rehmann often sees no guest wireless network set up or, just as dangerous, a guest wireless network set up but ignored by employees who are connecting their personal cell phones, watches, and other devices to the company network instead. Allowing personal devices to access the company network is as dangerous as leaving the front door of your physical building unlocked. If someone wants to get in, they easily can.
Keep it Simple but Secure
For a long time, network and system administrators have taken for granted how easy wireless networks are to set up and use across the organization. And wireless networks are great; they allow colleagues to move easily from office to conference room with their laptop, vendors to log on while paying a visit, remote employees to come in for a few hours or days without missing a beat (or finding and connecting to an open modem or router).
However, that convenience comes with a potentially significant cost. Is losing the data your company holds and transmits worth the ease of a single password for anyone in or outside your organization? (Given that 95 percent of cybersecurity incidents at small or mid-size businesses tend to cost between $826 and $653,587, we tend to think not.)
In truth, you can substantially increase the security of your wireless network for far less than you stand to lose. Whether you want to set up a guest wireless network, consider implementing WPA2-Enterprise for user or certificate-based authentication, or simply want to improve your network’s security but don’t know where to start, Rehmann can help.