Out-Law News 2 min. read

Public WiFi security risks prompt BYOD policy poser, says expert


It would be "impractical" for many businesses that operate a 'bring your own device' (BYOD) policy to completely ban employees from carrying out work activities over public WiFi networks despite the associated security risks, an expert has said.

Information law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said, however, that businesses can take steps to mitigate the risks of mobile working over public WiFi connections. He said that businesses have to decide whether to accept the risks and which approach to addressing them best meets their needs.

Dautlich was commenting after Europol, the EU's law enforcement agency, warned about the methods criminals are using to access information sent over public WiFi networks. Troels Oerting, assistant director of Europol and head of the European Cybercrime Centre (EC3), told the BBC that mobile internet users should not send sensitive information over public WiFi networks.

In one particular attack, criminals create spoof WiFi hotspots that appear to be legitimately provided by others. Users who log in to those hotspots unwittingly give hackers access to the data they sent over the networks, Oerting said, according to the BBC's report.

"We tried to see if we could build in more security, together with the mobile phones and the application providers but also by teaching users that they should not address sensitive information while being in an open insecure WiFi internet," Oerting said. "They should do this from home where they know the WiFi and its security, but not if you are in a coffee shop somewhere you shouldn't access your bank or do all of these things that actually transfer very sensitive information."

Dautlich said that the threats posed by the use of public WiFi systems are serious issues that businesses that operate a BYOD policy need to be aware of and address.

"For many organisations, placing a prohibition on the use work devices for accessing or receiving information via public WiFi networks just isn't practical if their employees are regularly on the move," Dautlich said. "There is a clear problem in terms of actually enforcing such a rule and in any case there may be a need for employees to be able to utilise public WiFi connections to carry out their work when on the go."

"However, the security threats posed should cause businesses, and particularly those responsible for writing BYOD policies, to reflect on how to mitigate the risks of public WiFi use. A ban may be appropriate for a select few, but other options could include allowing staff to use public WiFi networks only for 'low-grade' and non-confidential actions. To do this, there needs to be a shared understanding of exactly what constitutes such activities in practice," he said.

"In addition, businesses could choose to allow staff to access work systems and communications over public WiFi networks only if they have completed appropriate training," Dautlich said.

The expert said that businesses that allow mobile working over public WiFi must accept there is an element of risk to that activity. He said that businesses that give their staff such freedom have a responsibility to regularly train those employees on the security threats associated with the activity.

Dautlich said there was an analogy to be made with the way banks are increasing awareness amongst their online banking customers about security risks online. One example he cited was the effort many banks are making to educate consumers about exactly what sort of content they should expect in email messages from banks that are authentic and what sort of content is likely to indicate spoofing or other tricks employed by fraudsters. Banks with the best practices are also educating consumers about many other aspects too, such as what information to expect to provide back to the bank, as opposed to information sought only by fraudsters, he added. 

"If you are going to let employees loose with mobile working then you owe a responsibility to the company and to them to train them," Dautlich said. "Given the pace with which criminals operate and update their procedures, businesses must ensure that they keep aware of the methods criminals are using and update staff on those threats, providing them with practical training what to do about them."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.