The Department of Trade and Industry's bi-annual IT security survey, claimed to be the UK's most authoritative way of tracking security practices and threats, has reiterated warnings that remote access is not being implemented with sufficient security.
Only one in five of the companies with wireless LANs used Wired Equivalent Privacy (WEP) or any other form of encryption, the survey found, and more than half had no additional security controls at all. WEP is now considered easily crackable, but only two percent of networks had an additional layer of encryption on top of WEP, the DTI said.
There have been plenty of surveys warning about the spread of unsecured Wi-Fi in the enterprise, but PricewaterhouseCoopers, which carried out the telephone survey of 1,000 businesses, argues its is one of the few conducted on a statistically valid basis. "This survey seeks to provide some kind of benchmark against which other surveys can be judged, to get a feel for whether they are wide of the mark," said Chris Potter, the PwC partner who led the survey.
Remote access methods, and particularly wireless LANs, have spread rapidly while education about security issues has not kept pace, Potter said. The survey found that a third of all UK companies now use wireless networks, compared to two percent two years ago. Login passwords, sufficient to protect wired networks, are not enough when the network is exposed outside the office via a wireless access point, security experts say, but the majority of companies surveyed have not yet learned this lesson.
WLAN-based attacks are not theoretical, either, with eight percent of companies reporting attempts at unauthorised access. This is a conservative figure, said Potter, because 23 percent said they had no system in place for telling whether they had been probed.
The danger posed by unprotected wireless networks can't be overestimated, according to some industry observers. "It's an area people are not paying attention to yet," said Bloor Research analyst Fran Howarth. "It's not just encryption, it's anti-virus and all the other protections, which need to be applied to mobile computing just like wired networks."
Businesses should take three simple steps to secure their wireless networks, Potter said. First they should establish whether they have a wireless network in place, since employees - often executives - commonly connect Wi-Fi equipment without authorisation. Second, they should decide whether WLAN offers a real business benefit, and if it doesn't, it should be banned, Potter said. If companies do decide to use WLANs, they should make sure someone in the company is capable of implementing security, he said.
The full findings of the DTI survey will be made public at the InfoSecurity Europe event in London later this month.
Meanwhile, a US-based survey commissioned by industry group CompTIA has found that the biggest corporate threats, virus attacks and network intrusions, are actually becoming significantly less of a concern for businesses.
Last year, 80 percent of the survey responents said their most common IT security threat was virus and worm attacks, but that has dropped to 68.6 percent this year. Network intrusion issues dropped from 65.1 percent to 39.9 percent. VPN and dial-up problems dropped from 49.9 percent to 41.7 percent, and social engineering dropped from 21.9 percent to 17.9 percent, according to a survey of nearly 900 businesses.
This trend may at least partly be due to the emergence of new threats, however, in particular browser-based attacks. The survey found that 36.8 percent of companies had been hit by at least one browser-based attack in the past six months, compared with 25 percent last year. Browser-based attacks use code embedded in apparently ordinary Web pages to compromise a PC.
CompTIA said businesses must become more active in alerting their employees about such threats. "It is clear that education on IT security can no longer be limited to a handful of IT personnel," said CompTIA president John Venator in a statement. "Keeping the IT infrastructure safe is the responsibility of everyone in the organisation."
Companies who run public websites for customers are also at risk, according to Bloor analyst Howarth. "Browser-based attacks are a big issues for banks, but any company who deals with customers over a website can be hit by this," she said.