One large challenge when it comes to technology and security is the fact that (many) people are lazy and wants the tools that enables them to do as little as possible, with as little effort possible. Large enterprises employs many such people, and has only a few options to controll them. Especially in remote locations. This is where enterprises uses policies to enforce how to implement systems and behaviour.

But when the employees in a remote location decides to implement a new gadget, one that has not been aproved, problems arises immediately. Lack of understanding of the technology and its security implications undermines the corporate need for one coherent security implementation.

As an example:

Corporate XYZ is a multinational market leader. They deny the use of WIFI, but are implementing a secure WIFI platform using Radius and VPN. At a couple of their locations – perhaps in St. Paul, Minnesota, the local store manager decides to buy a WIFI Access point and set it up so he can move about the store with his laptop. He sets it up himself, and uses WEP 64Bit encryption with a static key. This option sounds very safe and secure to him.

It is not. Any wardriver (a hacker who breaks into wireless networks) can break the code in a matter of minutes, and gain full access to the network. With the code (static key) broken, they may then eavesdrop on the traffic and steal network credentials to log onto the XYZ central server. They may also hack the server and set up their own accounts. You may ask why this is a problem. Well, imagine the wardriver wants to steal information from you – 7 million credit card records for instance. Or she may want to alter your prices and take away all your profit. Or steal information about your next, nationwide advertising campaign and sell it to our competitor.

The list is long. And expensive. The price is much higher than the price of a secure communication system.