HoodaThunk?

A news article at InternetNews.com reports that some lawmakers are ready to deal with the issue of wireless security through legislation:

If you’re a business owner in upstate New York and use a wireless LAN to handle sensitive customer data, you better make sure it’s secure. It it’s not, you may be breaking the law and could be slapped with a fine.

That is the message coming out of Westchester County and the city of White Plains this week as legislators pass a law that makes it illegal for a business not to take the necessary precautions to protect its wireless networks from accidental or deliberate abuse.

Precautions range from internal firewalls to simply switching on a system to changing a network’s SSID identifier.

I would love to report to you that such legislation is completely unneeded and that businesses already secure their wireless. Unfortunately, with the smaller businesses that’s just not so. I make a point of scanning the path to my office and to several of my customer sites looking for operating and advertising wireless nodes. (Advertising, in this case, meaning that the access points are broadcasting their ID and availability.) While the percentage has improved dramatically over the past couple of years, the number of wireless access points (WAPs) configured to provide some kind of security to the connection remains under 50%. (Two years ago I had runs where less than 20% were secured.) Sitting right here blogging this post I can see 6 WAPs, including my own. Two of them are running securely, my own and 1 of my neighbors. The other 4 (I only know where 1 of those is located) are running wide open and unsecured.

This is one thing for home users. After all, it’s not common that someone compromising a home system can use that to compromise a business one, at least not directly. For a business with customer records, credit cards, and other financial data to be running an open WAP is another matter entirely. There’s no excuse for it, plain and simple. If it takes the threat of a lawsuit for them to secure their networks and, thereby, their customers’ financial data I’m perfectly fine with that.

Something else there’s no excuse for is this little exchange in the article:

“Overall, it’s a step in the right direction, but how much of an impact it has on altering Wi-Fi usage habits for the business and consumer remains to be seen,” Chuck Conley, vice president of marketing for Boston wireless security firm Newbury Networks, told internetnews.com.

“Strong authentication and encryption combined with Wi-Fi security technologies will ultimately be the best remedy for keeping the bad guys off the network while protecting users from connecting to unauthorized devices.”

Maybe, although some experts believe that forcing businesses to secure their wireless networks with legal mandates may not be the best approach.

“As much as the local government thinks they’re doing the right thing by enforcing some sort of wireless security, is it really within their rights to do so?” said Doug DiNunzio, senior product manager for Bluesocket in Burlington, Mass.

“Some of the fault lies with the manufacturers’ not making security come on by default, and for not making it easy enough to configure,” he told internetnews.com.

Complying with the law could give a business a false sense of security since some of the security precautions suggested are easily defeated, he added. It would be more effective and useful to bundle an education process along with the legislation, or at least require businesses that violate the new law to take a class to bring them up to speed on security.

(Emphasis mine.) Is it within the rights of the government to pass laws requiring businesses to take measures to protect their customers’ financial data? Is this guy serious? And to suggest that businesses would be better off without any security since “some of the security precautions suggested are easily defeated” should be enough to have this guy’s security certifications yanked – assuming he actually has any. The simplest and weakest security measure will keep better than 60% of those people who try to connect from doing so. Guys like this make a living painting a picture of armies of uber-hackers laying siege to the gates of a business. It’s not as simple as you’d think to defeat many of these measures – how many of you could actually do so? – and it costs so very little in time and effort to enact them.

If you’re using wireless in your office or in your home, read the manuals for your gear and make sure you’re protected.