Sure, many experts will claim that talk of hackers mercilessly stalking companies is over-hyped by the consultants looking to make a buck. Yet, hackers need only a Pringles can for an antenna and a wireless card to pry into access holes made by wireless. What's more, WLAN hackers are totally anonymous, unlike cyber warriors. "A hacker could be sitting next to me," says Gerry Cockram, program manager of Sprint Corp.'s Wi-Fi. "But it's virtually impossible to track that individual."

While industry-wide standards are only now getting hammered out, slowing the process, the Wi-Fi Alliance, an industry trade group that includes Toshiba Corp. and Texas Instruments Inc., has been pushing for stronger security encryption. The first attempt, called WEP (Wired Equivalent Privacy), was a weak encryption that was easily cracked in 2001–making it an industry-wide bad joke. But the newer, much stronger version WPA (Wi-Fi Protected Access) software is being tacked onto security devices now, insiders claim. "Wireless security is being ramped up pretty fast," says Jupiter Research analyst Julie Ask.

Help is also on the way thanks to wireless vendors like Cisco Systems Inc. and Symbol Technologies Inc. that have pioneered their own encryption and authentication security used on their wireless components. But at least 20 new vendors have jumped into the hot wireless space, many without track records. The trick, says Ask, is getting interoperability between competing technologies, and some of the newcomers are too busy touting their own agendas in search of market share.

Meta Group analyst Chris Kozup claims that vendors are hindering the process of building a secure, scalable wireless LAN. "Vendors have allowed politics to defeat the primary goal of attaining interoperability," he wrote in a Meta Group research report. The upshot: Kozup predicts that such a system will not be attainable for another year at least.

In the interim, hammering out a security defense is also crucial. And the first step in combating wireless marauders, say experts, is getting a security audit. "We think of security like a pyramid," says Morse, "with the general hacker threat at the bottom. We start with the basics first and then move into elite attacks." However, most insiders also note that security holes are usually opened by unknowing employees and are rarely malicious.

"Think of wireless security as a component of controlling the network," counsels Patrick Rafter, a spokesman for Bluesocket Inc., which makes WLAN security products. In other words, wired solutions like firewalls that filter data, encryption that scrambles traffic and authentication for identifying users also do double duty in the wireless world. For example, with authentication, you can approve use of parts of the company network, such as the finance server. That way it's easier to control access, he says.

Without clear security antidotes, say experts, the key is layering wireless security tools. For example, combining firewalls with VPNs, as McKesson did, is one viable route. "Security is a process, not a product," adds Razorpoint's Morse. "You can't just rely on one product and say 'okay, I'm finished.'" The mistake most companies make, he says, is relying on one security technology like VPNs.

Sometimes the WLAN security answer is as simple as changing the default security key on a computer that's easily hacked into. "In general, there's one default key per vendor," says Nick Brigman, vice president of product strategy at security consulting firm Red Siren.

A looming corporate nightmare is monitoring security at hot spots–public places such as restaurants, airports or parks where employees decide to call up their e-mail or get a little work done via their wireless. As use of wireless devices becomes common and increasingly more employees are granted wireless access to company networks, the threat rises exponentially. That's why McKesson banned use of non-corporate wireless LAN hook-ups that aren't protected by a VPN; the harshest penalty, says Heim, is being fired. "Rogue deployment is one of the biggest risks," he says.

Linking Security to the Paycheck

In the end, security is still a management issue, say experts. Security features must be invoked properly, since vulnerabilities can be exploited in minutes. Yet, Morse estimates that less than one-third of users actually turn on security devices on their laptops or PDAs–the rush to connect is so great. That's why employee awareness programs are essential, say analysts. "Awareness has to happen every day," says Sprint's Cockram. "From wall posters to mouse pads. Buy-in has to occur all the way up to the CEO." McKesson, for example, sent out strongly worded e-mails to employees, saying that they could only use corporate wireless devices that use the company VPN.

A widely circulated, one-page best practices document also helps. Some prescient companies are even folding security policy into employee performance reviews. "Having a better security mindset is being tied to money," explains Morse.

The issue is at least on most companies' radar screens–and not a moment too soon. Says Razorpoint's Morse: "There's no shortage of holes to find and hacker penetrations to clean up after."