"Anytime you share your network with someone else, your machines can share with each other, then you have this risk of being able to intercept anybody's information," Crumb says.
Man-in-the Middle Attacks
Users are also vulnerable to man-in-the-middle attacks, says John Pescatore, an analyst at Gartner Inc. In these attacks, the hacker deliberately mimics a legitimate connection to intercept information.
In any of those hot spots, "someone could be sitting next to you pretending to be the hot spot and trick you" into connecting to him, Pescatore says. It doesn't happen frequently, but it does happen, he says. The hacker can then use that connection to snoop around your computer and pull out not just data but your user ID and password to gain access to your company's systems.
"If he's smart enough to get a user ID and password, then that person is smart enough to know how to use it," adds Bob Batie, CISSP-ISSEP, senior principal information assurance engineer at Raytheon Co.
The potential problems presented by hot spots aren't new to corporate IT security teams. But Brad Johnson, vice president of SystemExperts Corp., a network security consulting firm based in Sudbury, Mass., says the proliferation of hot spots has pushed the issue higher on the list of concerns that they have to address.
"The reality is that proliferation of hot spots has changed the landscape. They used to be relatively sparse. Now you can find hot spots anywhere," he says.
Corporate policies need to keep pace
Yet corporate policies and practices have often failed to keep up, Johnson says.
"They don't look at it as a hot-spot issue, but how are our employees supposed to handle our data when they're not on our corporate premises?" he explains. So while policies might prohibit corporate information being transferred to home computers, for example, there may not be enough protection to ensure that a worker doesn't e-mail unencrypted sensitive data back to the home office from a hotel's hot spot.
Even if the connection is secure, e-mail isn't always automatically encrypted, and mobile devices aren't automatically set to connect to the company's VPN when at hot spots, Johnson says. In addition, mobile devices' security options aren't always configured properly, further increasing their vulnerability.
But even though IT can identify these problems with workers using hot spots, that doesn't mean there's an easy fix, Johnson and others say.
"There is this unstoppable demand for people to work from their own laptops or their own smartphones. It's what we call the consumerization of IT," Pescatore says. And that consumerization makes it more difficult for IT to enforce corporate policies and configurations on these privately owned devices.
Cost also plays a role, Batie says. Always using a VPN provides protection, but not all companies are big enough to afford a VPN. And in this economic environment, companies aren't eager to add costs -- even for security reasons -- to already strained budgets, he says.
Human Factors Count, Too
Eric J. Sinrod, a partner in the San Francisco office of law firm Duane Morris LLP who has followed this topic, says many companies need to do more to get ahead of the potential for problems at hot spots.
"There are some companies that are fairly enlightened and try to be ahead of the curve, and there are others that are not," he says. "And this [issue] is sort of a brand-new area that's opening up, and we're probably just at the beginning of a wave. I don't know if this issue has percolated up to the surface in a major way yet, but if we start hearing more and more about incidents, it will have to be addressed."