Public Wi-Fi – Should Lawyers Just Say No?
Public Wi-Fi networks are practically ubiquitous. They’re in airports, hotels, office buildings, coffee shops, restaurants, malls and many other locations. While accessing one can be convenient when all you want to do is buy a new digital book on your smartphone, check your e-mail on your laptop, or rebook a flight on your tablet, there are associated risks that should never be minimized, or heaven forbid, completely dismissed. Such risks run the gamut from simple eavesdropping to allowing someone to defeat whatever two-factor authentication you had in place with the site you just logged into.
Here are just a few examples of the most common threats everyone faces when accessing public Wi-Fi.
1) A hacker inserts himself into the conversation occurring between two users (e.g. you and your bank) giving him the ability to do anything from simply listening in and capturing part of the exchange to taking complete control of the entire exchange. Not only is this the most common type of attack out there, this is also one way two-factor authentication can be defeated.
2) You unwittingly login to a rogue network that appears to look legitimate. It may even look identical to known and trusted networks, such as Starbucks. In reality, however, it’s a bogus clone of a trusted site. Fall prey to this type of attack and all of the data in transit is being sent directly to the hacker.
3) You unknowingly login to a rogue access point, which is something well-meaning employees of various businesses sometimes setup. In short, wireless routers have been added to a network in order to give more customers access to the Internet. Often these routers are not configured properly, which makes them easy to hack into, even though the network itself might be secure.
4) You become infected with a worm. Unlike computer viruses, computer worms self-propagate and can be programmed to do all kinds of things to include steal documents, capture passwords, and spread ransomware. If you happen to be on a public Wi-Fi network and fail to have robust security in place, a worm could readily jump from another infected user currently on the network to you.
5) You have allowed your device to discover new and available Wi-Fi networks. As a result, you unintentionally end up connected to an ad hoc network. This means you may have just directly connected your device to a hacker’s computer giving the hacker free reign to do whatever he wants with your device.
I hope you’re starting to get the picture. Pubic Wi-Fi networks are inherently insecure and some are going to be downright dangerous. That’s just the way it is. And unfortunately, it’s even worse for those who fail to install robust internet security apps on the devices they use to access public Wi-Fi. Those folks are begging for trouble if you ask me.
Does this mean that lawyers and those who work for them should never access public Wi-Fi? In a perfect world, I might try to argue that one; but I can also acknowledge this wouldn’t be realistic. There are going to be times when it’s necessary. In fact, I will confess I use public Wi-Fi myself, but only for certain tasks. The better question is if a lawyer has a need to use public Wi-Fi, how can the associated risks be responsibly addressed?
Let’s start with the basics. All mobile devices, to include smartphones and tablets, should be protected with a robust Internet security software suite and kept current in terms of software updates. Next, approach all public Wi-Fi networks with a healthy level of distrust. For example, never connect to an unknown network, particularly if the connection is offered for free or states that no password is necessary. Also, be on the lookout for network names that are similar to the name of the local venue offering a Wi-Fi connection. This is because a network connection that happens to be named Free Starbucks Wi-Fi doesn’t mean it’s actually the legitimate Starbucks network. If you’re not 100% certain, always ask what the proper name of the local network you are wanting to connect to is and connect to that. Most importantly, never connect to public Wi-Fi unless you have the capability to secure your own Wi-Fi session, which means you must use a VPN. VPN stands for virtual private network and allows you to encrypt all of the data you will be passing along through the public network. Finally, while using public Wi-Fi it’s best to avoid accessing online banking services and visiting any websites that store your credit card information or other personal information that might be of interest to a cybercriminal.
I can appreciate that the advice to avoid certain types of websites while using public Wi-Fi may not be received well by some. However, I stand by it because often there is a much safer option available. Simply use your mobile phone as a hotspot and connect to your carrier’s network. If coupled with the use of a VPN, your entire Internet session will be about as secure as you can make it. If you don’t know how to do this, ask your IT support for a quick lesson.
I wish that I could stop here but I can’t, because almost every law firm I know of is comprised of more than one person. Anyone at a firm can naively or unwittingly fall prey to a cybercriminal when logging onto a public Wi-Fi network and this could result in very serious and unintended consequences for the firm and firm clients. Best practices would mandate that everyone who uses a mobile device for work be subject to a written policy regarding the appropriate use of public Wi-Fi. If your firm has no such policy, now’s the time. Of course, any policy is going to be meaningless if there is no training on the risks and/or no enforcement of the provisions so keep that in mind.
Now to my initial question. Should lawyers just say no to the use of public Wi-Fi or try to prohibit anyone in their employ from using it? I don’t necessarily go that far as long as all users have been made aware of the risks and given the appropriate tools that will help them minimize the risks.
That said, let me share one final thought because I do get push back on this topic and can anticipate you will too. Some will say something along the lines of this. “The Starbucks signal is free, I’ve used it many times and never had a problem so why all the unnecessary fuss?” My response is always the same. How do you know you were never a victim? No one is going to send you a thank you note for allowing them to steal your credit card number or place a keylogger on your laptop. We all need to understand that hacking tools are widely available to the masses. This isn’t just about who made the Wi-Fi available, it’s also about what’s happening on the public network while you are using it. Always remember that you are never alone while using public Wi-Fi and you simply have no way of knowing what everyone else’s intentions are.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.