The Wireless Security Balance Game
By Mike Masnick, Wed Apr 06 02:00:00 GMT 2005

Making sure that your wireless LAN network is secure is clearly important, but with the technology changing so rapidly, it appears that many are sticking with the "good enough" approach.

It never fails that technology security professionals will complain that companies don't take security seriously enough. It's true. Most companies don't take security seriously enough, and for some, it comes back to bite them. However, keeping everything as secure as can be often means tradeoffs. Continually updating the technology to fill in the cracks and moving on to the newest security technologies as they come along always has a cost -- and it appears that many companies judge that cost not to be worth it when compared to the risks. For example, many are avoiding jumping from WPA protection to 802.11i, realizing that doing so might not be as easy as everyone hoped. Instead, it might involve upgrades to firmware as well as needing to buy new equipment. After all, it wasn't that long ago that they had to jump from WEP to WPA -- and it's not clear that WPA users are likely to be targeted when there are so many other easier targets out there.

At the same time, having weak security (or no security at all) is simply asking for trouble. In some cases, the lack of acceptable wireless security has meant that wireless technologies are not permitted at the office -- but that has a huge cost as well. Employees who can't use wireless technologies can be severely limited in performing their jobs compared to the competition. The end result is that companies and individuals are settling for "good enough" wireless security. Basically, they know that someone who is determined to break in will be able to do so -- just as someone who is really determined to break into a house will figure out a way around the lock on the front door. That doesn't mean the lock is useless, it's just that the cost of changing seems higher than the risk of a loss.

This equation changes over time, of course. As ways to break the locks become more common, faster and cheaper the risk level increases. For example, the FBI is now showing how easy it is to break WEP protected systems in under three minutes. However, the same changes also impact the new technologies. So, as the risk level for older technologies increase, the cost of moving on to more secure solutions also decreases. Those security professionals are right to remind people about the weaknesses in various wireless technologies and encourage them to upgrade to more secure solutions. However, they shouldn't be surprised when everyone is slow to respond. The cost is just too high for the associated risk. The real issue is to keep making the changing risks and costs clear to users, so that they can make an informed decision on when is the right time to make the change.