Your business network is the environment in which all of your digital assets operate. A well-configured network limits the damage an attacker can do if they compromise a single device. A poorly configured one allows a compromise of any device to spread rapidly to everything else. Network security is not glamorous — it doesn't come up in most small business conversations about cyber risk — but the decisions made at the network level have an outsized effect on the organisation's overall security posture.
This post covers the practical network and Wi-Fi security steps that every small business should have in place, without requiring specialist networking knowledge.
Your Firewall: The First Line of Network Defence
A firewall controls what traffic is permitted to enter and leave your network. Every small business should have a properly configured firewall at the network boundary — the point where your internal network connects to the internet. Most business-grade routers include a firewall, but "has a firewall" and "has a correctly configured firewall" are meaningfully different.
The key firewall requirements for a small business:
- Change the default admin credentials. Every router and firewall ships with a default administrator username and password. These defaults are publicly documented. A firewall running on default credentials is not protected. Change the admin password to something long and unique, stored in your password manager.
- Disable remote administration unless required. The ability to manage the router remotely — from the internet — is a feature that small businesses rarely need and that creates an internet-facing attack surface. Disable it unless you have a specific requirement and have secured it appropriately.
- Ensure the firmware is current. As covered in the patching post: router firmware requires updates. Enable automatic updates if the router supports it, or schedule manual checks.
- Review open ports. Any service accessible from the internet — a web server, a remote desktop gateway, a VPN endpoint — represents an attack surface. If it doesn't need to be accessible from the internet, close the port. If it does, ensure it is running current, patched software and is protected by strong authentication.
Wi-Fi Security
Your Wi-Fi network is a radio broadcast of your network traffic that any nearby device can attempt to receive. Securing it correctly is straightforward but requires attention to several specific settings.
Use WPA3 or WPA2 — Not WEP or WPA
WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) are outdated security protocols with known cryptographic weaknesses that can be broken in minutes with freely available tools. All modern routers and access points support WPA2 at minimum, and most recent equipment supports WPA3, which is stronger. Check your router's wireless settings and ensure you're using WPA2 (AES/CCMP) or WPA3. If your router only supports WEP or WPA, it's old enough that it's almost certainly no longer receiving security updates — it should be replaced.
Use a Strong Wi-Fi Password
Your Wi-Fi password should be long, random, and stored in your password manager. A complex 20-character password that nobody can remember, written on a sticky note on the router, is not secure. A complex 20-character password stored in a shared password manager vault, that staff can look up when they need it, is. Change the password if a staff member leaves, if a device is lost or stolen, or if you have any reason to believe it may have been shared inappropriately.
Separate Guest and Corporate Wi-Fi
Every business that has visitors, clients, or contractors on-site should operate at least two wireless networks: a corporate network for staff devices and business systems, and a guest network for everything else. A guest network should be isolated from the corporate network — devices on the guest network should not be able to communicate with devices on the corporate network. This ensures that a visitor's infected laptop, a compromised IoT device, or an attacker who has obtained your guest Wi-Fi password cannot reach your business systems.
Most modern business routers support multiple SSIDs (network names) and can configure guest network isolation. If yours doesn't, it may be time to consider an upgrade.
Consider IoT Device Segregation
Smart TVs, IP cameras, printers, building management systems, and any other networked device that is not a managed computer represents a potential security risk — these devices typically run embedded operating systems that receive infrequent updates and may have hard-coded credentials or known vulnerabilities. Placing IoT devices on a separate network segment, isolated from computers and servers, limits the damage a compromised IoT device can cause.
Network Segmentation for Slightly Larger Environments
Organisations with more complex environments — multiple offices, server infrastructure, OT equipment alongside IT — should consider network segmentation: dividing the network into logical segments (VLANs) that restrict traffic between them. A finance system that can only be reached from devices on the finance VLAN is considerably harder to reach from a compromised laptop on the staff general network than one that's accessible from everywhere.
Network segmentation requires managed switching equipment and some networking knowledge to implement correctly. For small businesses without in-house networking capability, this is a sensible conversation to have with an IT provider — it doesn't need to be complex to be effective.
Remote Access Security
If staff access your network remotely — via VPN, Remote Desktop, or any other mechanism — this access point requires specific attention. Remote Desktop Protocol (RDP) exposed directly to the internet without protection is one of the most actively exploited attack vectors in existence. If you have RDP open on a public IP address without MFA, change this today. Either place it behind a VPN (so the attack surface presented to the internet is the VPN, not RDP directly), or implement Network Level Authentication with MFA, or both.
VPN services should use current, supported protocols — IKEv2/IPSec or OpenVPN/WireGuard — and should require MFA for authentication. Audit who has VPN access regularly and revoke access for leavers promptly.
Network Monitoring
Knowing what is happening on your network — what devices are connected, what traffic is flowing, whether anything unusual is occurring — is the capability that distinguishes reactive security (finding out about an incident after it has caused damage) from proactive security (detecting an attack in progress). For small businesses without dedicated security staff, this is the gap that a managed monitoring service fills.
Further Reading
Network Visibility, Around the Clock
SOC in a Box places a pre-configured sensor on your network that provides continuous visibility into network traffic, connected devices, and anomalous behaviour — all monitored by a named analyst 24/7. Where your firewall and Wi-Fi configuration define what should happen on your network, the SOC tells you what is actually happening.
Book a scoping call