Guest Wi-Fi benefits both the organizations that offer it and guests who use it. But it can also add risk to data infrastructure. That’s because guest Wi-Fi can become an entry point to a company’s network though which hackers could do damage.
Guest Wi-Fi must be secured just as tightly as the rest of a network. This is why the tips that follow will ring familiar with network administrators. Use these tried-and-true tactics to protect your network and provide safe surfing for guests.
Businesses don’t want to limit customer choice unnecessarily. But they must prevent certain types of content from traveling on their guest networks:
- Adult content (e.g. adult sites, gambling sites, or anything ethically, morally or legally questionable)
- Malware, like ransomware
Such content can ruin the experience for all guests, and the company that offers guest Wi-Fi.
Keep anti-malware systems up to date
Anti-malware systems are only as good as the malware definitions they use to recognize threats. Since new malware regularly makes its way onto the Internet, reputable security software developers detect new malware early, then update their malware definition files and distribute them to devices via the Internet.
Anti-malware systems can be set to update definition files automatically. With each new update, network-connected devices are vulnerable to fewer threats.
Keep firmware up to date
Hardware vendors continually “harden” firmware (the software that runs their devices) against security threats and periodically distribute security improvements via firmware updates. Since each update reduces a device’s security vulnerabilities, install these updates as soon as possible. Better yet, set devices to update firmware automatically.
Use WPA2/WPA3 encryption
Wi-Fi Protected Access 2 and 3, also known as WPA2 and WPA3, replaced the original WPA and its predecessor, Wired Equivalent Privacy (WEP).
Why upgrade to newer encryption standards? It’s not that WEP and the original WPA have grown weaker. The ability of criminals to “break” them has gotten stronger. Give networks a better chance to protect digital communications by using, at minimum, WPA2 encryption.
Use WIPS & WIDS
Wireless intrusion detection systems (WIDS) can form part of wireless intrusion prevention systems (WIPS). Since they’re both useful in protecting networks, let’s refer to these tools collectively as WIPS.
As the name suggests, WIDS can detect intrusion attempts like packet flooding and password guess attempts. WIPS can also scan networks for access points (APs) where intrusions could happen. Sometimes these are unauthorized, or “rogue” APs (more information below).
Network administrators can use WIPS to “harden” the network against attacks. For example, administrators can set policy to have WIPS send them alerts and respond to threats when they occur. Think of WIPS as a 24/7 security guard for a network.
Beware of rogue access points
Many guests will connect to anything that looks like “Free Wi-Fi.” Since criminals may find value in customer data, they may spoof a guest Wi-Fi MAC address. If they fool guests into connecting to their access points, they may compromise data on a guest’s device.
Network administrators must remain alert to rogue APs. A proper WIPS can “fingerprint” APs, digging beneath their MAC addresses to determine their authenticity. Should a WIPS find a rogue AP, it can notify administrators and take protective action.
Keep business networks separate from guest Wi-Fi networks
A barrier between business and guest Wi-Fi networks, reinforced by a firewall protecting the former, ought to be standard practice. After all, guests don’t need to navigate the network used by inventory, POS and other business systems. By dividing a network by group, administrators ensure people use only the networks they have permission to use.
Change passwords regularly
It’s exponentially more difficult to prevent network intrusion if people use weak passwords. That’s why criminals try to guess passwords using tactics like brute-force attacks. Once they have a valid user ID and password, other security measures may be in vain.
To prevent weak password usage:
- change default passwords before commissioning any network device. When you do so, criminals who know the vendor’s password generation pattern won’t be able to use that knowledge to guess a device’s password.
- ensure staff only use passwords that meet a minimum threshold of complexity (e.g. minimum length, case-sensitivity, numbers, and special characters, like punctuation).
- oblige staff users to change passwords regularly.
Businesses want to roll out the welcome mat whenever customers and other guests stop by. Guest Wi-Fi is a well-liked part of the digital welcome mat. But everybody who uses it – the company AND its guests – must be protected from digital harm. By taking measures like filtering content, dividing networks, encrypting communications, and so on, everybody enjoys a safer guest Wi-Fi network.