One in three Wi-Fi networks in the City of London were insecure, and nearly two thirds failed to encrypt data traffic, according to a survey carried out last year by RSA security.
Wi-Fi network security can be achieved, but you need to work at it. Techniques range from the obvious - implementing the built-in security features and encrypting data traffic - to the more obscure - using password and access identification protocols which deter hackers without making life impossible for your users.
But what if your Wi-Fi network is provided by a third party? In that case you are relying on contracts to ensure the third party makes your network secure.
Outsiders could use the network as an access point for hacking, distributing illegal pornography and so on. This is unlikely to lead to criminal liability for your company but the damage to your company's reputation could be severe.
Also, the confidentiality of your communications could be compromised by eavesdroppers or personal data might be disclosed. This raises liability issues including breach of data protection and other regulations, and liability for failing to maintain client confidentiality.
In addition, visitors who connect their laptops to your network could suffer a breach of their confidentiality or data protection obligations, exposing them to liability which they might look to your company to cover.
Without proper security this data traffic is accessible to a hacker in the bar next door via his laptop. A KPMG survey last year found that 12% of hackers attempted malicious activities, rather than merely looking for free network access.
Controlling the risks of visitor access is particularly difficult. Ideally you need appropriate contracts with visitors which define the security precautions you take. Signing-up visitors and proving they agreed to the contract mixes legal, technical and operational skills.
Notices at Wi-Fi connection points might cover your liability to normal visitors, but where you expect them to transmit sensitive information a formal signed document could be essential.
To minimise these risks your technology supplier and installer contracts must oblige them to make sure the network meets your security needs. The IT director's role is crucial in this situation.
Other business heads and legal experts might not understand the technology and they will not be capable of defining your technical requirements or reviewing the technical changes demanded by the supplier. If the IT director does not help them review business-critical contracts, errors can easily creep in.
A commercially reasonable level of security might be enough for some types of data, such as personal information under data protection laws, but not enough for other types, for instance, market-sensitive information.
Wi-Fi security threats are greater than for wired networks because you cannot make the communications link physically secure.
An IT director needs to ensure this is achieved via four steps: assess the sensitivity of the Wi-Fi data traffic, including likely visitors; devise appropriate levels of security in discussion with your security manager and lawyer; implement that security, either directly or in the contracts with your Wi-Fi service providers and ensure that your liability to visitors is controlled, if necessary, through appropriate sign-on notices and contracts.
Chris Reed is a consultant to law firm Tite & Lewis
This was first published in February 2004