Best practices for the worst WLAN security


10. Different locations should use whatever products they want.

He had more advice about how to ensure poor WLAN security: Never consult corporate officials; don't ask senior executives to a strategic or tactical plan for WLAN use; do not worry about upgrades and future needs; give vendors the final say on what products to use and how they should be configured; and be sure to outsource WLAN technical support from the start.

After the extent of the damage was finally understood, the company ended up shutting down wireless access except for in-store employees. The number of WLAN vendors was cut from five to two, WLAN usage and access was strictly enforced according to corporate security policies, and dedicated administrative and technical support groups began to support WLAN users and monitor security.

Stehman said his company was hired by the retailer to analyze the project and report what went wrong. That study was completed in December.

He noted that many of the retailer's mistakes didn't seem alarming or dangerous as they happened, but they added up to disaster. These included such seemingly minor issues as having too few support staffers working on Sundays -- one of the week's busiest shopping days -- and allowing stores to use their own inventory when they needed equipment. Add in a lack of overall responsibility and unclear policies, and "it snowballs on you," Stehman said.