Five Tips for Keeping Employees Safe on Public Wi-Fi
With today’s portable notebook computers and mobile devices, employees frequently connect to Wi-Fi networks at places like coffee shops and airports. Although this is much safer than it was in the past—largely as a result of increased HTTPS adoption, which prevents snooping—there are still a variety of risks when employees use untrusted networks to access company resources.
General security tips—like requiring frequent updates, using endpoint security solutions, and educating users about security risks—go a long way towards protecting employees on public Wi-Fi. However, those measures are not nearly enough if the organization wants to ensure maximum security. In this article, we outline and discuss five tips which security conscious organizations can use to protect against threats on untrusted Wi-Fi networks.
1. Use a VPN Solution
Virtual private networks or VPNs route all traffic on a computer through an encrypted tunnel to another network. For example, a company could have a VPN server in the office and allow employees to connect to the office network remotely. From the perspective of applications running on the computer, it can be no different than connecting to the office network physically.
For this solution to be effective, staff must be forced to use their VPN application whenever they connect from an outside network. One way to achieve this is through MDM profiles or Group Policies. Another way is to disable all outside access to applications unless the user is connected via the VPN.
2. Disable Network Sharing via MDM/Group Policy
Laptops running Windows and macOS include a variety of features that make it easy to share resources and information between devices on the same local network. However, most of these features are meant for devices running on a trusted office or home network, not an untrusted public hotspot.
While Windows gives users the choice to disable this feature every time they connect to a new network, users might still click “Yes” without thinking about the security implications. Administrators can solve the problem through controls like Group Policy and MDM profiles. Sharing settings on macOS can also be disabled through a configuration profile.
For Apple devices, AirDrop can be an issue on untrusted networks. AirDrop allows people within Bluetooth range or on the same network to send files to one another. This does not usually pose a problem. However, it is not impossible for people to send malicious files to one another in crowded locations. As an alternative, companies should require that employees set AirDrop’s discovery settings to “Contacts Only” instead of allowing files from anyone.
3. Use HTTPS on All Company Sites
With HTTPS, it is much more difficult for a third party to snoop on the contents of a connection with a website. By encrypting everything with the Transport Layer Security (TLS) protocol, HTTPS prevents attackers from accessing or modifying information in transit.
Nearly every popular website on the Internet has adopted HTTPS by default. However, some corporate sites—particularly those meant to be intranet sites—may not utilize this critical security technology. Without HTTPS, anyone on a Wi-Fi network can trivially access and modify the information being transferred from the website, which is a problem when employees are accessing insecure sites via public or untrusted Wi-Fi networks.
Enabling HTTPS on every company-owned website—even if it is not intended to be accessed externally—should be a high priority.
4. Limit the Information Given to Wi-Fi Providers
Public Wi-Fi hotspot providers sometimes use captive portals that require lots of personal information before users can browse freely. In many cases, the software running on these captive portals can ask for tons of personal information. To protect their employees’ privacy, companies should train employees to enter as little information as possible into these forms.
Network providers collect other kinds of information as well. Using a VPN can prevent network providers from profiling users based on the websites they visit. Depending on a company’s threat model, protecting against this type of privacy concern may be a good idea.
5. Avoid It Altogether
For companies in regulated industries or those with special security concerns, it might be best to avoid using public Wi-Fi entirely. When public Wi-Fi is not available or is a bad choice, there are still a variety of other options available for on-the-go connectivity.
Companies can give employees access on the go in a few different ways:
- If a company pays for its employees’ cell phone plans, they can encourage or require that employees use mobile tethering instead of public Wi-Fi. Unlimited data plans make this especially easy and practical.
- Cell carriers sometimes offer small standalone tethering devices. Companies can offer these devices to employees at a lower cost than paying for their entire cell phone plans.
- Employees could work in offline mode. Nowadays, with so many software apps in the cloud, it might feel impossible to use a computer with no Internet connection at all. However, with some preparation, it is very doable. Even web apps like Google Docs and Gmail offer offline modes.
Compared to a decade ago when HTTPS was somewhat rare and coffee shop networks were a complete free-for-all, using public Wi-Fi is fairly safe today. That said, companies who want to guarantee that their employees are just as safe on public Wi-Fi as they would be on the office network, should combine standard security best practices, with employee training, and policies specifically intended to protect employees on untrusted networks, similar to the ones discussed above.
For organizations seeking help with establishing security policies and best practices, Outsource IT is the best choice. We have years of experience protecting clients from cyberattacks using the best technologies and practices available. Contact your Outsource IT account manager to learn more.