The UK National Cyber Security Centre (NCSC) took the step of issuing advice to those looking to stay in touch with the office while on leave or working in unfamiliar locations during the August holiday season this year. However, the risks that they are trying to address are all too real and cannot be consigned under the tab of the ’silly season’, much as we might want to.
The NCSC issued its advice in a ’threat report’ around travellers using ’insecure’ Wi-Fi in public locations such as hotels, airports, restaurants, bars, stations, cafe’s and increasingly on aircraft, trains and buses. The specific threat concerned upmarket hotels in Europe with a network of attackers gaining access to hotel Wi-Fi networks in order to install malware on guest devices connecting to targeted networks. As a result they will have been able to access their victim’s data including emails and harvest their online credentials which depending on the device could include social media networks and online banking online with online calendars and address books. The aim seems to have been to compromise foreign government and business travellers.
However, the advice is sound and worth following when it comes to accessing public Wi-Fi both in the UK and overseas. Our in-house security consultant frequently logs into such public networks for investigative purposes to see how many users of the network are actually using it for more than just checking social media or sending emails, and he habitually finds at least one if not more users on each network using it to look at other devices sharing the network in an attempt to compromise them. We have even heard of some fraudsters setting up Wi-Fi networks in some public areas using a name such as ’free Wi-Fi’ or even using the name of the establishment in the network, looking to entice users to log on where they can then access the user’s device and exploit it.
As a result public Wi-Fi should never be used for any work related or business critical activity as the risk to the business is simply too great. It should certainly not be used for any financial transactions online or to access any business related systems. Yet sometimes using such a network might be unavoidable. What steps can you take to minimise the risk?
- Enable 2-factor identification for any apps such as email or social media. This could involve entering a code sent by SMS to the user’s phone or via an app or, with the right technology, a scan of a fingerprint.
- If the device uses 4G data, reply on this and do not enable Wi-Fi. The data connection will remain secure for business use. Given the recent abolition of roaming charges across Europe you should be able to use 4G without incurring monstrous roaming chargers, but check ahead with your telecoms provider before you travel to be sure.
- Some handsets are encrypted, requiring any hacker to enter an encryption key before they access a device through a Wi-Fi network. Law Firms should consider providing secure handsets to all staff users and to press telecoms suppliers on the security measures that are in place on their devices.
When working in public places there are a few other things that should also be considered. Can anyone see the screen on your device or laptop? Despite being fairly low cost and easily available, privacy screens are rarely fitted by businesses to their mobile devices and can ensure that your screen cannot be inadvertently viewed by fellow passengers on a busy train. They are often one of the first measures that we advise our client law firms to install.
Also think twice before charging your device from a public plug. It should be remembered that mobile devices are often charged via USB sockets and cables, and that when connected to a power source not only are they being charged but a significant amount of data can be passing in both directions along that cable between the device and the ‘host’. Fraudsters have been known to unscrew plug sockets and install small devices that can compromise devices charged in this way. Think carefully before plugging your power plug or USB socket into a public charging point. It may be worth investing in a small portable power pack that can be charged and used to supplement your mobile device’s battery if it begins to run low.
If you are working away from the office and taking calls, consider carefully where you are before going into any specifics about clients and confidential matters. I continue to hear lawyers on trains shouting into phones and having conversations with clients and colleagues that really do belong in a secure office with the door closed – never presume that there is not someone sat nearby who understands exactly what you are talking about and could use it against you. I even heard a barrister and instructing solicitor on a train recently both loudly discussing their day in court that afternoon in fairly graphic detail. I was able to record the entire conversation on my phone which was easily picked up by the mic from the facing table across the carriage as issues like client confidentiality were pretty roundly ignored.
All of these steps may sound obvious, but incidents keep happening. Hopefully this discussion and awareness in the Gazette will make a difference!
Legal services in a data driven world (27 September)
With GDPR fast-approaching, non-compliance is not an option. Join our conference where leading tech and legal experts will share insight on strategy, preparation, practical issues and the regulation affecting you. Hear from a range of expert speakers including representatives from the Information Commissioner’s Office, leading law firms, HSBC Technology and civil rights organisation Liberty.