Every company has workaholics who can’t leave their duties behind when heading out on vacation. They're kind of worker who, if the hotel doesn’t have Wi-Fi, will rush to the closest coffee shop or eatery to stay connected, check email and jump onto a video conference call.
Those are the kinds of insecure wireless networks that make IT security managers nervous.
And for good reason. Public Wi-Fi networks at cafes and coffee shops are open to, and can be accessed by, anyone, according to mobile security vendor iPass. They require neither security keys and passphrases nor firewall protection. That leaves employees vulnerable to man-in-the-middle attacks.
When an attacker intercepts communications, it's possible to snoop on traffic as it goes from user to server. Gather enough info and it's easy for the attacker to then pose as a trusted user and gain access to sensitive corporate data. Companies that deal with personal and financial data are at greater risk of such attacks.
Man-in-the-middle attacks are a big concern because they're easy to pull off, said Raghu Konka, vice president of engineering at iPass. “At public Wi-Fi locations, the airwaves are open and any attacker with a simple antenna can mount an attack,” he said.
To improve overall online security:
- When connecting to a public Wi-Fi network, make sure you browse secured sites only.
- Use a VPN. This will protect traffic where it is most vulnerable, the last mile between a user and a server.
- Enterprises should educate workers on vulnerabilities and provide the tools needed to combat them.
- Keep your devices up-to-date with latest software.
- Be cautious about opening or replying to emails from unknown senders.
IPass, which surveyed 500 CIOs and senior IT decision makers from the U.S., U.K., Germany and France, found that organizations consider C-level employees, including the CEO, to be at the greatest risk of being hacked; coffee shops are regarded as the most dangerous public Wi-Fi venue; organizations are increasingly concerned about growing mobile security risks; and man-in-the-middle attacks are deemed the greatest threat.
In the survey, 78% of respondents chose coffee shops as one of their top three most popular locations for accessing work. Airports were next followed by exhibition centers.
IPass said companies hoping to mitigate security risks have been moving to ban the use of public Wi-Fi hotspots. Sixty-eight percent of those surveyed ban the use Wi-Fi hotspots; 31% ban their use at all times (up from 22% in 2016), and 37% ban their use sometime. On top of that, 14% plan to roll out a ban on public Wi-Fi hotspots in coming months. That number is down from 20% last year, suggesting that many organizations introduced a ban in the last 12 months, according to iPass.
But those kinds of edicts could be a detriment to business goals. Most electronic devices shipped worldwide are Wi-Fi only, so blocking connectivity to hotspots at coffee shops, hotels, airports and in flight could mean workers aren't able to get things done while on the go.
Public Wi-Fi networks aren't the only things that attract thieves. So do the smartphones and tablets themselves, said Domingo Guerra, co-founder and president of Appthority. So it's important to make sure you can do a remote wipe, should a device be lost or stolen, to protect data. It's also good to have backups of your device and data before heading out, use a strong passcode on the lock screen and disable any touch-ID unlock feature. Increasingly, governments are asking travelers to temporarily hand over phones, and it’s harder to compel someone to share their password then it is to use their fingerprint, Guerra said.
Watch out for certain apps
Guerra recommends travelers stick with official app stores, such as the those from Google and Apple. Some tourist destinations offer custom or private apps not distributed through the official stores. “It’s important to avoid side loaded apps at all times,” he said.
Another concern: permission requests from the apps you download.
“If you don’t understand why the app is asking to access your photos or contacts, for example, decline access. The app can ask you again when it needs that permission and that will give you more information about whether you want to share access or not. It is common to see apps request more data or permissions than necessary,” Guerra said.
When on the road, some permissions become riskier. For example, apps that are accessing, then sharing/broadcasting your location at all times (“Always on”) can be more dangerous while traveling in foreign countries. Try to grant the minimum number and level of permissions. Most of the time, the app will work fine without the extra data -- data that is often sold to third parties to profile you.
Finally, while Apple and Google review apps for malware, they don't look for security best practices like properly encrypting sensitive data or protecting back ends and databases, he said.
App traffic is often not properly secured or encrypted, Guerra said. “This makes it crucial to avoid free/public Wi-Fi hotspots such as hotels and coffee shops when performing sensitive transactions from your mobile device, such as banking, shopping, or working on company sensitive information.”
That's why it's prudent, he said, to invest in a mobile VPN and/or purchase a roaming data plan for international travel.