A shocking 23 per cent of the UK's businesses have no idea of whether their wireless networks have been breached or not.

This figure, taken from the Department of Trade and Industry's (DTI's) biennial information security survey, is perhaps less surprising given that one of the biggest threats facing wireless network security is 'rogue' users plugging into network access points without the knowledge of the IT manager.

Often these rogue employees do not have sinister intentions and are trying to speed up their own network access. But by plugging in their own devices they are creating a back door into the network - and a big security headache for IT staff.

"Rogue access points are installed without the knowledge of the IT security department," says David Ellis, director of e-security at distributor Unipalm.

"They are created by users trying to speed up network access." He suggests that providing auditing tools to locate them can be the first step for the reseller.

There has been a huge push towards mobile computing over the past couple of years, and that is set to continue, fuelled by 'smarter working' and family friendly legislation aimed at giving workers the chance to work from home. This change in working patterns has created new security threats.

"The mobility market has really taken off in the past couple of years," says Ellis. "In the past, the network perimeter was securely in place; now that perimeter has become blurred.

Mobile security has become much more of an issue. People are using mobile phones and PDAs far more than they were a couple of years ago, and they are not aware of the risks."

Mobile devices are lost and stolen, and the 'smarter' the device the more damage the loss can do. Unauthorised use of PDAs and notebook PCs is a double threat, risking the loss of information outside the office and introducing viruses inside.

Although much has been written about the slow take-up of wireless among corporates - particularly compared with the way consumers have embraced it - there is evidence that things are beginning to change.

The DTI security breaches survey found a third of UK firms were using wireless, when two years ago wireless take-up barely registered. Although many businesses will be using wireless as a peripheral technology, it still marks a major shift.

Roy Hills, technical director at NTA Monitor, which provides network security testing, says that as the price of wireless kit falls, so more and more users - and even entire departments - will go out and buy their own access points, thus creating a security nightmare.

"Users can go off now and get an access point for less than £100 from Dixons," he says.

Although these users' intentions are not malicious, the security threat can be just as great as if they were.

For corporates, wireless is a double-edged sword. It increases the reach of the network into the outside world, but at the same time it allows the outside world to reach into the network. The cheaper and more ubiquitous wireless becomes, the more insecure it grows.

Often the lack of security inherent in wireless is exacerbated by poor network security. For instance, when companies fail to place the access point outside the enterprise firewall, hackers can bypass it.

"Wireless is a 'hostile communications environment'," says Peter Edgeler, director at security distributor Portcullis. "The user has to be confident that they can protect information in transit, and protect their systems."

Edgeler adds that in terms of security, use of wireless is where the internet was 10 years ago, with those using it unaware of the security threats.

"Security has not caught up with wireless usage," he says. Although wireless traffic should be secured by running it across a VPN, creating a 'secure tunnel', many users are either too lazy to do so or are put off by performance issues.

VPNs can themselves create a false sense of security, because although they secure data during its transmission, they do not verify the identity of the user.

The problem with wireless is that it was never really designed to be secure. As a broadcast technology the signal radiates out 360 degrees, maximising the opportunity for people nearby to pick it up, and as the available wireless bandwidth gets more crowded, more 'traffic noise' is created.

After running an audit, the next task for the reseller is to consider 'leakage'. Tests can be run on the network to check how far the wireless signal can be detected, and how likely it is to be intercepted.

"Typically if the customer owns their building they want to keep the wireless signal within that," says Hills. "We check whether the signal is leaking out and the transmitter power being used."

One of the biggest causes of wireless insecurity has less to do with the increasing sophistication of hackers and more to do with lazy users failing to install and use kit correctly. "Access points have to be configured properly," Hills adds.

"A common problem is to not change the default password." Users often also fail to use the basic Wired Equivalent Privacy encryption, which comes as standard. There are stronger wireless security standards in use, but not all devices currently support them.

A number of specialists, such as NTA Monitor and Portcullis, provide network testing, where they are commissioned by the user to sniff out potential trouble spots.

The problem is that users that have enough security awareness to commission testing are probably not those that really need it. The least secure networks are those that are not likely to get tested but are the most likely to get hacked.

Although resellers themselves can get involved in running security tests, they require a high level of technical expertise, and need to be done in a structured way, rather than as a gimmick to shock the user.

Many resellers are getting more sophisticated when it comes to providing security expertise though, and are hiring specialist security consultants to go in alongside their pre-sales staff to give them extra credibility and insights into the user's concerns.

For the reseller, a key element in providing mobile security solutions is creating a usage policy. The best security measures fail if users are unaware of what they need to do, and as more and more individuals and departments rush to plug in rogue access points, the need for policies becomes more pressing.

There is a gap here, because although many companies have policies for internet and email usage enshrined in staff employment contracts, few have adopted a mobile-usage policy.

"The user has to have a wireless policy in place," Hills says. "It should say how the technology should be deployed, configured and used. It's not being done at present but will become vital as wireless technology becomes default on new laptops.

"The problem for the reseller is that none of the standards bodies, such as the British Standards Institute, has issued any good practice policy guidelines on wireless use."

Creating a policy is a collaborative effort involving all interested parties. "It requires input from the user side as well as from the reseller," Ellis says.

There needs to be input from someone who knows about employee legislation - normally the in-house human resources department - as well as IT and business specialists.

The policy will have to be general but should set out best practice guidelines for users to follow. The most important area is rogue access points and the need to make users aware of why they are not a good idea. The starting point for any security policy is the BS7799 information security standard.

Although most mobile security attention is focused on wireless, there are other concerns.

Viv Francis, sales manager at security vendor Check Point, says: "There are threats that are not highlighted in the way that wireless is. The spread of worms as teleworkers return to the office and plug into the network is a problem."

Francis adds that the increase in network attacks is a direct result of the spread of remote computing. The key to tackling this, she says, is being able to contain the spread of any attack to a single device or segment of the network.

Francis says that as worm attacks become more sophisticated, resellers have to make sure they keep up with the latest threats, and that they get up-to-date information from vendors.

"Resellers that operate in the security space have a good understanding of where the threats are, but there is a general lack of knowledge. Resellers need to find out more about it," she says.

Edgeler agrees that education in mobile security is driven from the top down, with vendors disseminating information and running their own training schemes.

"The vendors are trying to avoid getting the blame from the customer if their kit doesn't work," he says. "They need to make sure resellers know what they are doing."

Vendors also need to ensure their products work together, says Edgeler.

"To get different wireless vendors' products to work together you have to go down to the lowest common denominator because there are interoperability issues," he says.

According to Ellis, most VPNs are interoperable and different firewalls should be able to talk to each other.

"We are not quite there yet, but they should be compatible," he says. The lack of interoperability between different vendors' products is a problem for the user, but it does provide the reseller with the chance to put together their own solution.

In the future it seems there will be closer co-operation between vendors as more and more security features get integrated directly into the network.

"The goal with security is to make it as invisible to the user as possible," says Bob Brace, vice-president of Nokia Mobile Solutions. "The mystique will go out of selling it."

Brace adds that there may be a blurring of the distinction between vendor sectors, as security gets integrated higher up the technology chain by vendors, and becomes an integral part of the network, rather than an add-on.

"Security has to be easy to use," he says. The more that is required of the user to make a system secure, the less secure it will be.

Mike Smart, product manager at vendor SonicWall, says there is always a tendency to try to integrate extra security into the gateway device.

But he adds that users and resellers should be wary of relying on a single security platform. "The more you rely on a single platform the greater the risk," he says. "There needs to be a single point of management, but not a single device."

The key with mobile security is for the reseller to offer a single point of management, enabling security updates and patches to be delivered remotely without the user needing to get involved, Smart adds.

The biggest security issue that needs to be addressed, says Brace, is authentication of mobile users. The current token-based system, generating random dynamic passwords, is inconvenient for sending push emails to a user's mobile phone.

"You don't want to have to log on each time. There has to be a more convenient way to provide authentication," he says.

Ellis agrees that secure authentication of mobile users is a key security concern for resellers and vendors to address, but he says the overall market is set for impressive growth. "Mobile security is no longer the black art that it was. But there is still value there for the reseller," he says.

The key is for the reseller to understand how the customer works and to be aware of their concerns.

CONTACTS

Check Point: (01223) 713 600
www.checkpoint.com

Nokia: (08700) 555 777
www.nokia.com

NTA Monitor: (01634) 721 855
www.nta-monitor.com

Portcullis: (020) 8868 0098
www.portcullis.co.uk

SonicWall: (01344) 668 090
www.sonicwall.com

Unipalm: (01638) 569 600
www.unipalm.com