Is your small business Wi-Fi network as secure as it should be? If you're not sure quite sure, the following tips—most of which involve minimal effort and cost—can significantly enhance your network's security. Before we get started, note that throughout the article we're using the common term Wi-Fi "router" but, depending on your network configuration, your Wi-Fi device may be more aptly described as a "gateway" or an access point. Most of the tips apply regardless of which type of Wi-Fi hardware you use.
Let's look at eight ways you can improve your small business network security.
8 Wi-Fi Network Security Tips
1. Change the router's default admin password
When you set up your Wi-Fi router and chose your wireless network password, did you also change the router's default administrative password? If not, do it now. Default passwords for countless router makes and models are easy to find on the Web, and with that information it's simple for someone to take control of your network to use your router (along with many others) to launch a DDoS attack.
A nefarious person can even change your network's DNS settings in order to redirect your Web traffic to fraudulent lookalike sites designed to fool people into divulging sensitive usernames and passwords. In fact, such an attack was perpetrated recently via spam emails.
2. Update your router's firmware
You probably update your smartphone, your PC, and your apps quite frequently, but when was the last time you updated your Wi-Fi router's firmware? Doing so can fix bugs—including security vulnerabilities—and it may even improve your wireless performance.
Many routers will automatically you whether a new firmware version's available when you log into the administrative console, and some will even download updates for you automatically. If not, you'll typically find the firmware update settings under the Administration heading, which is where you'll usually find the admin password settings we mentioned in the first tip.
3. Protect your Wi-Fi network with a long, strong, passphrase
WPA requires a wireless passphrase (also known as the network key/password) to be at least 8 characters, but that doesn't necessarily make it secure. If your WPA passphrase consists of a dictionary word or a proper name, there are numerous free tools and methods available to crack it— sometimes in matter of hours—by monitoring your wireless traffic. There's even a cloud-hosted service to do it. Make your WPA passphrase as long and as random as possible; it's the best protection against cracking.
4. Disable Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) has been around a long time, and it's a convenient way to connect a device to a Wi-Fi network by pushing a couple of buttons and/or entering a simple PIN code instead of having to type in a long and complicated passphrase (see previous tip). But more convenience almost always means less security—and many routers are susceptible to a targeted attack against WPS that can expose your passphrase in short order. There's no easy way to know whether or not your particular router has the WPS weakness, so your best bet is to shut off the feature.
5. Create a guest Wi-Fi network
When you have an office visitor who needs to get on the Internet, do you cheerfully hand over your Wi-Fi network passphrase? If so, big mistake—if that visitor's laptop turns out to be infected with malware, it could potentially find its way onto your network.
Instead of sharing your company's wireless network with outsiders, check if your router supports a Guest network (most modern routers do) and if so, activate it. A Guest network provides a secondary wireless network with a dedicated name and password for your visitors, allowing them Internet access while blocking access (inadvertent or otherwise) to devices on your internal network.
6. Switch to WPA Enterprise
Consider the above example once again. If you hand out the passphrase for an internal Wi-Fi network to a visitor, nothing prevents her from sharing it with an unauthorized person. Or, what if an employee who knows the passphrase quits or gets fired? What's to stop him from using that passphrase to access your network (perhaps after-hours from a car parked outside the building)? You don't even necessarily need to know the passphrase to a Wi-Fi network to use it on another device, because you can easily look it up from within Windows.
To guard against the second scenario in particular, you could change the passphrase each time it occurs, but then you'd also need to update the passphrase on every device that connects to the network (an enormously disruptive and time-consuming process). A far better approach is to configure your router to use WPA Enterprise.
Unlike passphrase-based WPA Personal, WPA Enterprise works in concert with a RADIUS server to authenticate users to a wireless network via user-specific names and passwords, and this makes it easy to terminate access for any individual when necessary. Note: some routers—though not many—have a built-in RADIUS server, but if yours doesn't you can build your own or get one hosted in the cloud.
7. Reduce output power and/or relocate your router
Unless you have an outdoor area where employees frequently work (e.g. a lunch patio) you should keep your Wi-Fi network within the walls of your business as much as possible. But depending on the size of your office and where the router resides within it, your network may have signal leakage. If so, there's a good chance that people can access your network from a parking lot or an adjacent business.
If your Wi-Fi router has an output power setting, you may be able to reduce the signal power just enough to keep it within the confines of your workspace (most routers that support the feature will let you adjust it in small increments). Alternately, if your router resides on the periphery of your office you might consider relocating it more centrally, if possible.
Two caveats—either option may require some trial and error, and both can potentially introduce dead spots within your office. Walking the boundaries of the office with a smartphone or a laptop to check signal strength will let you know in either case.
8. Physically secure the router
It's important to remember that anyone can circumvent all of the precautions described here by pressing a Wi-Fi router's reset button, which returns the device to its factory default settings. That's why it's extremely important to physically secure access to the device.
Placing the router inside a locked room or cabinet is ideal, but if that's not practical, at least mount it high near the ceiling (or above a drop ceiling if possible) to obscure its presence and thwart the crude but effective "stand on a chair with a paperclip" attack.
Joseph Moran is a technology writer and IT consultant who specializes in services for consumers and small businesses. He's written extensively for numerous print and online publications, and is the co-author of two previous books on Windows.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|