One afternoon recently I popped into a busy branch of a well-known coffee shop chain and was amazed at how many of the coffee drinkers were earnestly hunched over their laptops.
Then I saw the leaflet on the table extolling the virtues of the wireless network that had been installed by the coffee shop operators. Now you can bring your wireless-capable laptop with you on your break so that you can continue working as if you had never left your office desk.
The leaflet explained how you could deal with your e-mails, download reports from your office network, or just surf the Web in comfort and, for an introductory period, do all of this for free!
Given the location, I assume that many of the coffee-drinking surfers were from the nearby investment banks, corporate lawyers and City accountants. Many of them were probably working on their latest merger and acquisition deal while they drank or ate.
Did their employers have security policies that warned their staff about the security concerns of wireless connections? Were these policies properly communicated? Of course, it is possible that all of them had appropriate security fully enabled on their machines, but I doubt it.
To be fair, the leaflet did have a small-print footnote noting the potential security issues and the advisability of making contact with relevant IT specialists within their companies to ask about security measures, but I doubt whether much serious notice was taken of this.
I imagined myself as a hacker, commercial spy, or just someone, sitting nearby, hoping to pick up some juicy personal e-mails with the appropriate discrete receiving equipment. I am sure that a little patience would have been amply rewarded.
The lessons here are obvious. First, every company must ensure that its security policies properly acknowledge the existence and growing proliferation of wireless outlets and that their staff are properly informed and warned of the dangers of unauthorised access to sensitive information.
Second, from a governance perspective, directors and senior business managers must acknowledge the risks, and support the acquisition and implementation of encryption and other wireless security measures. It is only a matter of time before a reputable organisation becomes the first highly publicised victim of wireless eavesdropping. Make sure it isn't you.
Even the best-worded policies and the most technically advanced counter-measures will not compensate for human stupidity. I forgot to mention that one of these caffeine surfers came across to me, a complete stranger, to ask if I would keep an eye on his fully connected laptop while he went upstairs to get a refill!
His concern was that someone might nick his laptop. He was probably quite unaware that the real value was the information that his laptop almost certainly contained.
What's your view?
Do you have security policies in place for wireless working? Tell us in an e-mail >> CW360.com reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.
Paul Williams is an independent consultant specialising in IT governance, IT due diligence and project risk management. He can be contacted at [email protected]