Five Wireless Network Best Practices for Business

by | Nov 28, 2016 | Security | 0 comments

You can find a wireless network in just about any business. They are easy to setup. Most business owners never give them a second thought. However, a wifi network can be a significant security hole. Here are five best practices that we utilize to ensure our clients’ data stays safe.

1. Have a Business Class Router/Firewall

We recommend Sonicwall but other brands work well also. A good business class security appliance will add another layer of protection to your security strategy. Products like the TZ series from Sonicwall offer content filtering, gateway antivirus, and numerous controls to ensure maximum protection against threats.

While the chance of having someone attempt to hack your wireless network may be slim, being able to easily control and protect it is crucial to minimizing the risk. A good security appliance will also allow you to control what information wireless users have access to.  From disgruntled employees to people looking for free internet, your wireless network is an easy to see target for attackers.

2. Use WPA2 Wireless Encryption

WPA2 has been around for over 10 years yet companies still rely on older WEP and WPA encryption. Except in some unlikely scenarios, always use WPA2. It provides better protection and the passphrases are easier to remember if you want them to be. Don’t even think about using anything else. For more information, check out this post on

3. Segment Your Traffic

Segmenting wifi traffic allows you to control what information a user of that network has access to. We prefer to setup three networks using virtual access points, an internal network, an employee network, and a guest network. This is a little more difficult to accomplish but well worth the effort.

We only attach company owned equipment to one “internal” network. Devices such as company-owned PC’s, notebook, phones, or printers would go on this network. The passphrase for this network is changed on a schedule or if compromised. No person other than critical personnel have this passphrase.

On the “employee” network, we have the ability to limit access if needed. Even if access is the same as the “internal” network, we now have the option of locking down employee access by changing the passphrase without disconnecting devices on the “internal” network. We may do this in a situation where an employee that knows the passphrase is terminated or if you feel the passphrase has been compromised. A new passphrase would get distributed to employees to allow access once again.

The “guest” network is strictly for people outside of the company. This network has no access to internal information and is commonly limited in bandwidth. A good idea is to disable it on a schedule so that it shuts down overnight. We also limit content such as streaming or certain topics to avoid abuse.

4. MAC Filtering

MAC filtering uses the physical address of the network device to ensure access to only devices that we select. Even if the passphrase is compromised, access to the network is locked to the MAC address list, preventing unauthorized access. We keep a log of company owned equipment and their MAC addresses, updating it as necessary. If a device is retired, lost, or stolen, we remove it from the MAC list and it will no longer be able to access the network.

5. Change Your Passphrase

Passwords get compromised. Either by an employee telling someone, writing it down, or through a virus. Have a plan to change your passphrase on a regular basis to prevent unauthorized access.


While this list is not comprehensive by any means, these are the first places I would look to find simple and effective ways to harden your wireless security. These tips can save you a lot of hassle down the line. If you need more info or have something to add, leave a comment or contact us for more.


Discover Great IT Management