But how secure is it, and why should you worry about it? Make no mistake—there are bad actors out there who would love to get their hands on that data.
The Importance Of Wi-Fi Network Security
Many small business owners believe they don’t have anything worth stealing. Spoiler: this isn’t true.
It isn’t just big business and government institutions the bad guys are after, it’s everyone—with small business a favourite target. According to Verizon’s 2018 Data Breach Investigation Report, 58% of malware attack victims are categorized as small businesses and over 70% of cyber attackers deliberately target small business.
For small business owners, those are some scary numbers.
Fortunately, there are things you can do to protect your network security. Read on to learn how to secure a business wireless network and reduce your vulnerability today.
[Disclaimer: Some of this might lean a little toward tech talk. Remember, there is always a Team of Nerds available if you need any help or clarification!]
How To Secure A Small Business Network: 15 Tips
1. Isolate Your Network
The Problem: Your networks aren’t isolated.
Having employees and guests on the same Wi-Fi network can lead to trouble, as it is hard to control what guests do while using your network.
How To Fix It: Ensure guest Wi-Fi and all other networks are completely separate from corporate Wi-Fi by isolating the networks.
To separate the traffic, use a Service Set Identifier (SSID) to make separate points of access to your network: a business-grade secure access point for your team, and a public one for guests. This provides an extra layer of protection by keeping your business’s computers separate from guest’s and unsecured Internet-of-Things (IoT) devices.
Consider also using Device or Access Point (AP) Isolation. This is a setting on your router that, when enabled, prevents a wireless device on the network from accessing resources with a wired connection to the network. When properly applied, device isolation also prevents an infected device from infecting others.
2. Separate Traffic With VLANs
The Problem: Your employees have the ability to access all resources in a network (even the ones that are highly sensitive or not applicable to them).
How To Fix It: Increase internal security by dividing your network into separate ‘virtual networks’ (VLANs).
VLANs allow you to better control the resources employees can access. For example, VLANs ensure that a regular employee can’t access files belonging to management staff and that they only see traffic on their own virtual network.
VLANs also provide external security as unauthenticated users and guests can be put on a separate VLAN. And if someone does gain unauthorized access, they will have access to only a portion of a network.
3. Physically Secure Your Router
The Problem: Your router is in an easily accessible, unsecured location.
A bad actor can get around many of the security precautions you take if they are able to physically access your Wi-Fi or network equipment.
How To Fix It: Make sure your primary router/gateway is in a secure location with restricted access like a locked closet, cabinet, or office.
If that’s not possible, putting it high near the ceiling where its presence is obscured can help make it tough to mess with.
4. Reduce Your Router’s Output Power
The Problem: Your Wi-Fi network transmits beyond your business walls.
As a result, outside individuals may have access to your network if the output power isn’t controlled.
How to fix it: To avoid having people in the parking lot or at adjacent buildings from hopping on your network, you should try to keep your Wi-Fi network inside your office walls as best you can.
This may be as simple as moving your router to a more central location. If not, your router should have an output power setting (often called Transmit/Tx Power). This setting allows you to reduce the signal power just enough to keep it within the confines of your workspace.
This will take some trial and error (and could result in dead signal spots), but a walk within the boundaries of your office with a smartphone to check signal strength.
5. Change Router Login
The Problem: You’re using the default router login.
Most routers come with a default username and password that is easy for bad actors to hack. These attacks happen because people don’t change the default login settings to the Wi-Fi router or access point (or know they can).
How To Fix It: Change the network logins immediately and often. The best passwords are 15 characters long with a mix of letters, numbers, and special characters.
Share the passcodes with employees only when necessary and be sure to update them on a regular basis (changing passwords quarterly is a good practice).
On top of regular updates, be sure to change them whenever an employee that had access to the password leaves the company.
6. Change Your Network Name
The Problem: You’re using the default network name.
The default Wi-Fi network service set identifier (SSID) may tell potential hackers the make and/or model of your network/Wi-Fi gear. This simple piece of information lets them know exactly where to look for information that may help them gain access to your network.
How To Fix It: On top of changing default login credentials, change the SSID. This is the ‘Wi-Fi name’ that lets people find your network on their device.
Changing the network name to something descriptive lets the right people find it without giving the wrong people too much information.
7. Use VPNs
The Problem: Data travelling to and from your network isn’t encrypted.
Without encryption, it’s like your data is on a postcard—easy for the mail carrier to read if he or she wanted to.
How To Fix It: Virtual Private Networks (VPNs) provide an extra layer of security by encrypting all the data travelling to and from your network. With encryption, it’s like your data is on a letter within a sealed envelope—the mail carrier will get it where it’s going but with no ability to see what’s inside.
There are a number of ways to add VPNs to your network. You could buy a standalone VPN server, install server software on a computer, or purchase a hosted service. Whichever route you choose, every computer on the network should be configured to connect with the VPN server so all traffic will be encrypted.
8. Keep Firmware and Software Up to Date
The Problem: Your router and other network firmware updates are not kept up-to-date (or are ignored entirely).
How To Fix It: Regularly check for firmware updates for your router and other network gear.
This doesn’t always make it to the top of peoples’ to-do list, but it should. Updates include fixes for specific and documented problems and vulnerabilities, so ignoring them will lead to trouble. This is especially true for any network security software you are running.
Updating firmware and software is a relatively simple thing to do to secure your router (as updates usually self-install after downloading).
9. Secure Ethernet Ports
The Problem: Your Ethernet ports are unsecured.
You can take all the other steps to secure your office Wi-Fi network, but if you don’t secure your Ethernet ports, it might all be for not. You can’t protect the network if someone plugs into a physical port and uses your internet connection. Someone could also plug a Wi-Fi access point of their own in the port and possibly gain complete access to your network.
How To Fix It: Keep your Ethernet ports safe from outsiders by securing them in places with limited employee access.
As with your router, it is easy to see that securing your physical network is just as important as securing your wireless network, so be vigilant.
Physical ports can/should also be configured to take advantage of many of the steps mentioned above (for example, making them part of a VLAN).
10. Turn Off WPS
The Problem: Your Router Uses WPS.
Wi-Fi Protected Setup, or WPS, is designed to make pairing a device with an encrypted network easy (as easy as pushing a button!). It exists for ease-of-use, making it an enemy of security. Anyone with even a moment of physical access to your router can gain access to your system.
How To Fix It: If your system has a WPS feature, you are better off disabling it (each router has a slightly different way of doing this).
11. Turn Off Universal Plug’n’Play (uPNP)
The Problem: Your router uses Universal Plug’n’Play to automatically configure network devices (including potentially unsecure ones).
This can lead to many security risks, and it has little purpose in a business setting.
How To Fix It: It is best to turn uPNP off. As above, each router has a slightly different way of doing this.
12. Block UDP Ports 53 And 123
The Problem: User Datagram Protocol (UDP) ports 53 and 123 are the two most common ports used for amplification/reflection type of attacks.
How To Fix It: Block ports 53 and 123 on your network.
By blocking these ports, it prevents your network from participating in such an attack, even if you have botnet-participating devices join your Wi-Fi.
Port 53 is used for DNS, which your system administrator should provide locally on each VLAN and SSID. Port 123 is used for Network Time Protocol (NTP) updates so devices can keep their clock accurate.
This service can also be provided locally so that Internet-bound requests are not necessary to be made.
13. Apply Network Access Control (NAC)
The Problem: Your network doesn’t use Network Access Control (NAC).
With the increase in the number of devices (and the security risks they bring) accessing your network, there is an increased need to protect your network from noncompliant devices. Without Network Access Control, insecure devices can infect the entire network.
How To Fix It: Apply NAC to sensitive networks.
This ensures that as soon as a new device is connected, it is automatically quarantined until deemed safe and given permission to access the network.
14. Shape Your Traffic
The Problem: The traffic on your network is resulting in slow network speeds.
Slow network speeds from too many devices on the network/devices that use a lot of bandwidth can impact the quality of service you are able to deliver as a business.
How To Fix It: Shape your traffic to ensure higher priority network traffic has the bandwidth they require.
Traffic shaping is a type of network bandwidth management that prioritizes network traffic so bandwidth cannot be congested by bandwidth hogs.
15. Disable Remote Login
The Problem: Your business uses remote network login.
Remote login is a convenient way to control the network without needing physical access to the router. However, it does pose substantial security risks. It’s been seen that Wi-Fi networks that allow remote login are more susceptible to attack than those that don’t.
How To Fix It: To ensure the security of your network, disable this function on the router unless it is absolutely necessary.
Don’t Wait—Protect Your Small Business Network Today
There is little of more importance to your business today than network security. Your data is more valuable than you may think and there is an entire industry with the sole purpose of taking it from you. But there are simple things you can do to protect your wireless networks. In fact, in the time it took you to read this article, you could have implemented several of the suggestions put forward. It is well worth the time.
Remember, if you don’t have the time or resources to do it yourself, there is always a Team of Nerds ready to help.