Blog
How To Set Up a Secure Wi-Fi Network
Setting up a secure Wi-Fi network is essential for helping safeguard your organization from cybersecurity threats, so we’ve developed 7 recommendations to help guide you through the process!
1. Use Strong Encryption
One of the most basic but essential steps to secure your network from cyber threat actors is to set-up your wireless network with strong encryption standards. The Wi-Fi Protected Access (WPA) protocol comes in two versions: WPA2 and WPA3. These encryption protocols convert readable data into unreadable code, making it difficult for outsiders to intercept or tamper with it. WPA3, the latest version, provides even stronger security by encrypting every individual connection on the network. WPA2 and WPA3 Enterprise take wireless security a step further by eliminating the need for a shared key and instead provides each user with their own username and password. This way, if an employee leaves or a device is lost, you can simply disable that account without having to change the entire network password.
2. Use Complex and Hard-to-Guess Keys/Passwords
If your wireless network uses a shared key (a single password for everyone who connects), make sure it’s strong—meaning long, complex, and hard to guess. Aim for a password that is at least 12 characters long, includes a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using common words or easily guessable information such as “password123.”
Networking equipment such as routers, firewalls and access points often come with default login credentials which, while convenient, are widely known and can be exploited by hackers. One great step toward enhancing your security posture is to enter your IP address into a web browser, navigate to the settings to change the default login credentials and then create unique usernames as well as complex passwords for your access points and the Wi-Fi network. Per industry best standards, make sure to use a combination of uppercase and lowercase letters, numbers, and special characters as well as remember to regularly update these credentials to further safeguard your organization from potential threats. Similarly, shared keys should also be rotated at least once a year and changed whenever an employee is off-boarded.
To make managing credentials far more seamless, it may be a good idea to consider a password management solution to help generate and store complex passwords securely.
To learn more about how to optimize your passwords and key security, check out our TSI blog post on password management solutions and best practices:
TSI Password Management Solutions & Industry Best Practices
3. Network Segmentation and Dedicated SSIDs
A one-size-fits-all wireless network is not ideal for security. Segmenting your network into different virtual networks, each with its own SSID (network name), is a much more secure strategy. For example, you can create a separate network for employees, one for guests, and another for IoT (Internet of Things) devices like smart cameras and thermostats. Each network should have different security settings. This will help prevent an attacker who has gained access to 1 network from being able to jump over to other networks.
4. Captive Portals for Guest/Public Networks
If your business offers Wi-Fi to customers or guests, it’s a good idea to set up a “captive portal”—a web page that users must interact with before accessing your network. These portals often require guests to agree to terms of use, log in, or provide contact information.
Here is an example of what a traditional captive portal might look like:
Captive portals give you more control over who is accessing your network and can also serve as a simple layer of accountability, ensuring that users agree to certain rules and terms before connecting. Unlike traditional authentication methods, captive portals don’t require users to enter credentials. However, this approach can be exploited through a man-in-the-middle attack, where malicious actors position themselves between your device and the internet. If successful, they can intercept sensitive information, but they won’t gain access to the credentials needed for the open wireless network that utilizes the captive portal.
For resources on the steps you can take to preemptively avoid cybersecurity threats, check out our end user security awareness training page here:
TSI End User Cybersecurity Awareness Training
5. Keep Firmware Up to Date on Routers, Firewalls, and Access Points
Your network devices— such as routers, firewalls, and access points—run on firmware, a type of software that controls basic device functions and operations. Manufacturers regularly update firmware to remediate security vulnerabilities and improve the device’s performance, but if you’re not keeping your devices updated, you could be leaving gaps for cybercriminals to exploit. In addition to this, unpatched devices often suffer from performance issues that can cause downtime and compatibility problems between older firmware versions working with newer devices. In many cases, if the firmware update is too outdated, the manufacturer may not provide support which not only hurts your cybersecurity posture but presents a costly operational issue as well.
For more information on how TSI can help keep your firmware and other critical systems routinely updated, please refer to our MSP Services page:
TSI’s Managed IT Support Service Plans
6. 802.1x Authentication and/or MAC Address Allow-listing
802.1x is a security protocol that adds an extra layer of protection to your Wi-Fi network by requiring users to enter their username and password (or certificate) before they can connect to your network. You can also use MAC address whitelisting, which only allows specific devices with approved hardware addresses to access the network. This ensures that only authorized users or devices can connect, making it much harder for anyone without authorized permission to get in, even if they have the Wi-Fi password.
7. Use Zero Trust Network Access (ZTNA)
Zero Trust Network Access (ZTNA) is a security model where every device, user, and application must be continuously authenticated and authorized before accessing your network. By limiting wireless access for non-compliant devices, ZTNA can stop a potential threat from spreading through your network by automatically blocking a device from the network if it falls out of compliance, such as when it hasn’t received the latest security updates, system patches or if it becomes infected with malware. ZTNA is also a great solution for organizations seeking compliance as it addresses a number of control requirements for frameworks such as NIST 800-171, CMMC 2.0, and SEC Cybersecurity Rules.
For more information about implementing a ZTNA environment or to learn more about TSI’s Managed Security Service offerings, check out our resource links below:
TSI’s Cybersecurity Services & Solutions Overview
Thank you for taking the time to read our latest blog post and we hope you were able to glean some meaningful insights to help your organization dramatically reduce the risk of a security breach. As always, TSI is a readily available resource if you have any questions or would like to learn more about how to safeguard your organization against today’s most prevalent cyber threats.
Categories
- Backup & Disaster Recovery
- Business Operations
- Case Studies
- Cloud Services
- Cyber Security
- Employee Spotlight
- Finance & Budgeting
- Glossary Term
- Governance & IT Compliance
- Managed Services
- Mobile Device Management
- Network Infrastructure
- NIST 800-171 & CMMC 2.0
- PCI
- Podcast
- Project Management
- TSI
- Uncategorized
- vCIO
Cyber Security Policy Starter Kit:
10 Critical Policies That Every Company Should Have in Place