Wireless Risks: Agents Beware!

By

Agencies are beginning to deploy wireless technologies at an increasing rate. Its the next step in productivity and efficiency, especially in the hard market where agents need to spend more face-to-face time with clients, and less time in headquarter offices accessing and processing information on computer systems.

Todays wireless tools, however, have a tremendous number of vulnerabilities. At the heart of the security problem is the rapid rate at which wireless, mobile computing is being implemented and the conversely slow rate at which companies are evaluating the associated risks and making security changes.

To safely realize the benefits of wireless technology, companies must develop policies and procedures for its use, and increase user awareness regarding security and privacy issues.

What is wireless technology? Basically, it involves the transmission of data without physical cable connections. This transmission can occur via infrared technology within a building, or over even wider ranges using satellites.

Many agents now use mobile systems, such as personal digital assistants (PDAs), laptops, and Blackberry systems, configured with wireless connectivity. Since wireless transmission occurs over airwaves, however, there is a potential risk that these transmissions can be intercepted, leading to potential security and privacy breaches. How can agencies deploying these technologies protect themselves?

Most experts agree that wireless security is currently very weak at best. What few standards exist provide little protection and are seldom implemented by users and administrators.

The current wireless protocol standard (802.11b) is inadequate in meeting anything but minimal security requirements, and the encryption mechanism, Wired Equivalent Privacy (WEP), has been proven easy to break. Some companies dont even turn encryption on, and as a result, sensitive data are being transmitted with no protection at all.

There are new standards on the horizon that may provide more security capabilities, but the real question is whether wireless users will implement these new standards when they currently chose not to use existing security measures.

In contrast to traditional hacking practices carried out over phone lines and the Internet, hacking into wireless networks is almost as easy as listening to a radio scanner. Armed with a laptop, a wireless network adapter card, as well as some widely available software tools, a hacker can literally roam the streets, “tuning” into the wireless networks transmitting in the vicinity.

Gaining access to a wireless network can put a hacker behind firewalls that would usually stymie attempts to gain unauthorized access to a network that contained sensitive information.

The major risk of a vulnerable wireless system is that unauthorized access to a companys database of private customer information could compromise the companys market reputation.

A carrier or agencys database contains information such as social security numbers, dates of birth, mothers maiden names, addressesthat could be used toward identity theft or even held hostage by hackers for large ransom. With recent privacy legislationsuch as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)protecting such information is now mandated. If such data is not protected, agencies or carriers may face severe fines, or worse find themselves in court.

When system vulnerabilities are combined with lack of awareness and additional human risk factors, there is even more opportunity for exposure. Essentially, highly sensitive information is being put into the hands of early wireless adopters, who are largely unaware of their systems privacy and security limitations.

As a result, the weakest link in wireless security may be a lack of awareness among corporate system users. More agents are taking advantage of mobile devices to increase their time in the field, yet still have access to vital information like quotes and credit checks, and access to data processing capabilities of the headquarters computer systems.

But many wireless devices are neither designed for nor capable of sophisticated security. Users often utilize poor password protection, and may even purchase and deploy these tools without informing their IT or security departments.

These devices also represent a significant security threat when PDAs and laptops are lost or stolen. For instance, approximately a quarter million PDAs and mobile phones were lost in airports last year. If even a small number of those contained client and business information, there could be serious consequencesincluding identity theft, disclosure of proprietary information and the loss of competitive advantage.

Some sophisticated agents may also use wireless technology to extend their home computing resources. What then happens when an agent works at home, connecting his or her insecure home network to an agency or carrier? Both networks become vulnerable.

As a result, the expanding corporate boundaries increase risks and legal liabilities in many ways. Through policy and awareness training, however, employees can and must become the first layer of defense in the security process.

If agencies and carriers are to take wireless network security seriously, they must understand the required changes in system design and security policies. The first step requires wireless networks to be behind a secure firewall and perhaps allow only non-sensitive, encrypted and authenticated traffic to pass.

Consideration must also be given to the installation of wireless access points (APs), to avoid signal leakage and potential external abuse. Simply carrying out a drive-by test would show how vulnerable an agencys wireless network is and how dangerous this can be to information assets.

Today, Web-enabled training modules can help educate an already mobile agent workforce. Agents can access this information via the Internet, and become certified in standard privacy and security measures. These security and privacy training organizations work with information security specialists to understand security “best practices.” They also consult with regulatory agencies regarding privacy legislation, ensuring that firms also meet compliance requirements.

In this hard market, wireless technology offers agents the mobility they need to increase one-on-one time with current and potential clients, but before agencies and carriers leap into adoption of these new technologies, careful considerations must be given to the risks involved, and steps must be taken to protect sensitive company and customer information. If this can be done, agents can reap the benefits of increased efficiency and productivity, while still mitigating and controlling the risks.

(rick@corpnetsecurity.com) is president and CEO of CorpNet Security, a policy management and information security provider based in Lincoln, Neb.


Reproduced from National Underwriter Life & Health/Financial Services Edition, July 8, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.