Rumors of WEP's demise are greatly exaggerated

Well it’s official.  WEP is dead, again.  A recent spate of articles and a new study (Breaking 104 bit WEP in less than 60 seconds) have firmly established the demise of WEP.  In light of the foregoing, certainly no business would continue to use WEP to secure its wireless networks, right?  Well the answer is not what you might think.  There are two problems.  First, we have encountered numerous businesses, particular those in the small to medium size range, that continue to use WEP.  As is so frequently the case, they set their networks up and forgot about them.  They simply don’t appreciate their lack of security.  How did we find these businesses?  We discovered them while conducting due diligence in transactions in which they would be entrusted sensitive information of a business partner.  As part of that process, we asked the businesses whether they use wireless networking and, if so, how they were securing their networks.  Amazingly, a significant number of respondents, after considerable prodding, identified WEP as their one and only method of securing their networks.  In each case, the businesses were given a choice:  upgrade your security or be disqualified from further consideration. 



Now you may say the businesses discussed above are an anomaly.  Certainly no sophisticated business would continue to use WEP.  Unfortunately, many are, but potentially without their knowledge.  This brings us to the second problem I have seen:  employees with insecure home networks remotely accessing their employer’s systems and storing sensitive company information on their home computers.  While the employer’s networks may be adequately secure and free from WEP, their information may nonetheless be stored on the inadequately secured home computers of its employees.  This is a risk businesses should be monitoring.  If employees are permitted remote access, a VPN can certainly be used to increase security over an insecure home wireless network.  But, what about the information that is downloaded from the company network and stored on the home computer?  That information may and likely will be placed at significant risk resulting from the insecurity of the employee’s home systems.  This has led some businesses to reevaluate their remote access policies to better control the security of their employees’ home computers.  This is clearly something every business should consider when their employees may be storing company proprietary/sensitive information on their home systems. 



Based on the foregoing, I expect we will continue to see the effects of WEP for the foreseeable future.  To paraphrase Mark Twain, the rumors of WEP’s death are greatly exaggerated.