Public WiFi Security Myths, Facts & Best Practices


For many workers, the ability to work from anywhere is one of the most appreciated perks of modern wireless technology. Are you feeling trapped inside with lots of work to do on a beautiful sunny day? No problem – you can pack up your laptop and finish your work from a table on the patio at your local coffee shop. Dog begging for attention while you try to work? Take her to the dog park and write a report from a picnic table while she runs around. Need to send a last-minute work email before flying off for vacation? You can take care of it from the airport waiting area. 
The ability to work remotely gives workers and companies unprecedented flexibility, but, like many benefits of technology, working from anywhere can be a double-edged sword. The public WiFi networks that enable employees to work from coffee shops, parks, and restaurants also present a security risk to company data.

Millions of people are working remotely due to COVID-19 precautions. As restrictions ease in some locations, more workers will seize the opportunity to get out of the house and work from other places, often using public WiFi. Companies need to understand the risks of using public WiFI and develop best practices to protect company networks and data.

Most people are aware that there’s some risk associated with using public WiFi. There’s a lot of helpful information on this topic, but there are also some myths. In this article, we’ll take a look at three common statements about public WiFi security and examine the truth of each. We’ll wrap up by discussing some best practices for working safely via public WiFi.

#1. When working on public WiFi, other devices can communicate with your device without your knowledge

This statement is true. On some public WiFI networks, hackers can gain access and initiate communication with your device. They don’t even have to be anywhere near you. Malicious actors can do this from hundreds of miles away. The risk is real, but there are mitigations. You should make sure that all company devices have the latest security patches and updates. Another effective tactic is to use a software-based firewall (such as the Windows Defender Firewall built into Windows 10) and implement hardening policies to disable services that may be listening for remote requests (such as remote registry and remote desktop).

#2. Anyone can snoop on your Web browsing and traffic on public WiFi

This one is a partial myth. Traffic to regular http:// sites is visible to anyone, but https:// sites are encrypted. This is critical knowledge for workers using public WiFi. To avoid prying eyes, be aware of whether the sites you visit are http:// or https://. On laptops, this is indicated by the presence of a padlock icon in the browser bar. Some browsers will give you a “not secure” message if you visit http:// sites. Pay attention to these indicators and don’t view or type sensitive information on an unencrypted site.

Additionally, some other services are also not secure. FTP and Telnet are two examples where all communication (including passwords) is sent in clear text for anyone willing to listen in to hear.

#3. The only way to work safely on public WiFi is to use a VPN connection.

This statement is widespread, but it’s not true. Using a VPN is an effective way to reduce the security risk of using public WiFi, but it’s not the only way. If a VPN is not required to access internal company servers or applications, it may be redundant since traffic to and from https:// sites is already encrypted. Other security strategies can reduce the attack surface available to hackers and protect devices, even without a VPN. A few of these strategies include reconfiguring vulnerable legacy Windows features and using secure browsers and applications that enforce Transport Layer Security (TLS) for all communications. You should investigate all the available options before deciding the best path for your company.

For Companies

The first step for companies is to establish a clear policy about working with public WiFi. Whatever policy you choose, make sure your employees have what they need to work productively under company best practices. One of the most effective ways to do this is to provide adequate training resources and on-demand help desk support.

If you choose to allow your employees to access the company network and data via public WiFi, make sure company devices are well protected. Managed security patching, a managed software-based firewall, and managed endpoint-based antivirus protection are all essential.

Based on public WiFi security risks, you may choose to disable or restrict access to company systems. If you go this route, make sure to provide your employees with other remote connectivity options such as a VPN, a work-issued hotspot, or reimbursement for the use of their personal phone’s hotspot. When choosing a VPN, make sure to evaluate the pros and cons of options such as full-tunnel vs split-tunnel and make the best choice for your company.

For Employees

First and most importantly, make sure you cooperate with your company’s established best practices. The next step is to do a little research and educate yourself on the most recent expert tips for safely using public WiFi. The recommendations include things like making sure you only visit websites you know are fully encrypted (https:// only), refraining from downloading any new updates or software, and logging out of accounts once you’ve finished what you’re doing. Recommendations are continually changing as the technology evolves, so check frequently to ensure you’re up to date.

Interested in Learning More?

This article should help you figure out if your company is headed in the right direction with its public WiFi policies and precautions, but that’s only one small part of the bigger cybersecurity picture.  If you would like more information, check out our free cybersecurity resources.  Ready to take action?  Book a consult with one of designDATA’s cybersecurity experts today.

+ posts

Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.