Reading Time: 4 minutes

4 MINUTE READ

Why Public Wi-Fi Access May Compromise Your Organization

Free WiFi sign on window
Joe Howland
Joe Howland, Chief Information Security Officer

So many of us now work remotely that we often don’t give a second thought about where and how we access the internet. As coffee shops, hotels, and other public meeting spaces open up again, more people than ever are accessing public wi-fi to work. 

Just as cyberattackers have become more sophisticated at ransomware, phishing, and hacking into systems, they also have tricks up their sleeves with public wi-fi. Some techniques include: 

  • Evil twin: A hacker sets up a fake access point that might share the same name as the public wi-fi. For example, if an eatery uses the legitimate wi-fi name of “AnyCity Eatery,” then the evil twin might be “AnyCity Eatery WiFi.” The name is just slightly different yet looks legit on a first glance. Users log in, reveal sensitive information (like entering a username and password), and hackers can now snoop on your network. 
  • Captive portals: After you log into a wi-fi network but before you get access, you might see a webpage that pops up asking you to connect, for a password, or for further authentication before you can actually access the internet. A hacker can use a fake captive portal to intercept a user and steal sensitive information. Many people use the same password across all applications, so this is an effective way to steal user credentials. 
  • Man-in-the-middle attack: A hacker camped out in a public space uses a tool (such as a wi-fi Pineapple) to insert themselves in the middle between you and the public wi-fi by using an ARP spoofing attack (too technical to dive into here). All you need to know here is that with these cheap and easy-to-use tools, the hacker can eavesdrop, steal information, and possibly alter communication between you and another person. 

You might say, “What’s the likelihood of someone actually doing this when I’m at a coffee shop?” Higher than you think. The National Security Agency (NSA) recently said in a report that “the risk is not merely theoretical; these malicious techniques are publicly known and in use.” 

Your organization stores and transmits confidential, sensitive, and personal information that is valuable to hackers. If your employees use public wi-fi (whether open wi-fi without any password or even secure public wi-fi that requires a password), you can open your organization up to cyberattacks. 

So, how can you protect yourself? 

The best way to avoid these security risks is to avoid using public wi-fi at all. 

However, we know this tip may not be practical—especially when employees are traveling, working out of the house for a variety of reasons, or waiting somewhere (such as a doctor’s office or picking up their kids from a school activity). Employees continue working through the day while on the go, and public wi-fi may be their only option at times. Training your employees about a few best practices can help lower this risk. 

1. Use a Virtual Private Network (VPN) or secure remote portal.

Many organizations already offer remote access solutions to employees such as Virtual Private Networks (VPNs). When using public wi-fi, a VPN is a great idea as it has built-in encryption and security. Think of it like a tunnel for your data that hides your presence from the outside world. Without a VPN, it’s easier for hackers to see what websites you visit, what information you access, and what you communicate.

Keep in mind that if a VPN is configured and secured incorrectly, it won’t help you at all. Require security best practices such as access/authentication policies, multi-factor authentication, and software patching. Also, if an employee uses a personal device, it’s better to use a secured, typically browser-based remote portal and cloud-hosted application. 

2. Make sure you only visit websites with the HTTPS browsing protocol. 

If you visit websites without seeing a lock icon and HTTPS in the URL bar at the top of your browser, then you increase the risk of a hacker seeing what you’re viewing. While not perfect, it’s likely that a HTTPS website will not be seen by hackers unless they are very sophisticated. Most amateur hackers will not be able to view information accessed on HTTPS websites. 

3. Do not share sensitive or confidential information over public wi-fi.

Even if you’re using a VPN and making sure you go to HTTPS websites, you should still not share sensitive or confidential information over public wi-fi. For personal use, that means important passwords, banking information, and healthcare information. More importantly for your organization, refrain from using passwords to important business applications, accessing sensitive information, and sharing it while using public wi-fi. 

4. Look closely at the wi-fi connection and ask to confirm the correct one.

To combat the Evil Twin trick mentioned earlier in this article, look closely at the wi-fi connection to see if it is the correct wording and secured before connecting. If you have any doubt, ask someone in the establishment (a barista, a hotel concierge, a person working an event desk at a conference center, etc.) if you are connecting to the right wireless hotspot. 

5. Patch your software.

This best practice may seem out of place here, but it is absolutely essential. If a hacker is able to spoof a wireless hotspot and get access to your computer, they can exploit vulnerabilities in your software and applications once inside. By keeping up with software patching, you can avoid obvious and easy exploits. Especially make sure your VPN, browser-based remote portals, and cloud applications are always patched and up-to-date. 

 

Again, avoid public wi-fi whenever possible. However, if you must use it, follow the best practices above. For more detailed information about public wi-fi risks, read the NSA’s recent alert. 

Need help with your cybersecurity best practices (such as training employees about risks)? Reach out to us through the form below.