The home network you live on

Part 2 of 18. Your home Wi-Fi router is the only thing between everything connected in your house and the rest of the internet. What boards should ask their household to look at this weekend.

_Part 2 of 18 in the Digital privacy for board directors series._

If you wrote down the list of internet-connected devices in your home from last month, you probably have more than you remembered. Twenty is normal. Forty is not unusual for a family of four. Every one of those devices is reaching the internet through a single piece of equipment — your home router, almost always supplied by your broadband provider, almost always installed once and ignored.

That router is the only thing between everything in your house and the rest of the internet. It is also, in most homes, the device that has had the least attention paid to it.

What your router is actually doing

Four things, simultaneously, on every device you own.

It is acting as your firewall, deciding what traffic from the internet is allowed to reach your devices. The default is only traffic you initiated, which is the right default. Some routers, however, ship with port forwarding rules or universal plug-and-play (UPnP) enabled, both of which open holes in this default. UPnP in particular is convenient and risky in equal measure.

It is running its own management interface, usually accessible via a web browser at an address like 192.168.0.1 or 192.168.1.1. The default administrative password for that interface is, for many ISP-supplied routers, printed on a sticker on the back of the device. That same password is, for many models, publicly listed online by anyone who knows the model number.

It is broadcasting your Wi-Fi network, with a password your family knows and probably a visitor or two have been told. The encryption it uses for that Wi-Fi is, on most routers, configurable. The default is usually WPA2 or WPA3, both of which are fine. WPA and WEP, which some older routers still default to, are not.

It is acting as your DNS resolver, translating the website names you type into the IP addresses your computer actually connects to. By default this goes through your ISP's DNS servers, which means your ISP has a complete log of every website your household visits.

Each of these has implications. None of them is hard to address. Most can be done in under an hour, this Saturday, without involving anyone technical.

The Saturday morning checklist

Change the router's administrative password. Log in to the router (the address and current password are usually on the sticker), find the password change option, and replace it with something long, random, and unique. Write it down in your password manager, not on a sticky note. The single most common compromise of home networks happens because the default admin password is well-known.

Disable remote management. Look for an option labelled remote administration, remote management, or web access from WAN. Unless you have a specific reason to manage your router from outside the house (most homes do not), turn it off.

Disable UPnP. Look for an option labelled UPnP. Unless you know which device needs it — some gaming consoles do, some video conferencing tools claim to but usually do not — turn it off.

Confirm WPA2 or WPA3 encryption. Some routers default to WPA/WPA2 mixed, which is fine. WPA only or WEP is not.

Change the Wi-Fi network name (SSID) if it identifies the household. If your network is called Smith Family 5G or Bassill_Main, change it. The network name is visible to every neighbour and every passer-by. It does not need to confirm who lives at the address.

Enable the guest network. Most modern routers can broadcast a second Wi-Fi network for visitors. Put visitors, contractors, and any internet-of-things devices that do not need to talk to your phones or laptops on the guest network. A compromised IoT device on the guest network cannot reach your work laptop on the main network.

Set the DNS resolver to something better than your ISP's. This is optional but worth thinking about. Cloudflare's 1.1.1.1 and Quad9's 9.9.9.9 are free, fast, and privacy-respecting. Neither logs queries against you the way your ISP does. Quad9 also filters known-malicious domains. Setting this is usually a one-time change in the router's DHCP settings.

That is the Saturday morning. Sixty minutes. The router will outlive several phones and several laptops; the work pays back over years.

The harder question: should the router itself be replaced?

The router your ISP supplied is configured to a generic standard, runs firmware the ISP controls, and may not receive timely security updates. For most directors, this is fine. For some — particularly if you are in a high-exposure role, of which more later in the series — replacing the ISP router with a business-grade unit you own and control is a reasonable upgrade. Cost: £150 to £400 for the hardware. The brands worth considering at this end of the market are Ubiquiti, pfSense / Netgate, and MikroTik — all three are capable of more than most home users need, but provide visibility and control the ISP unit does not.

If you go down this path, the conversation to have with your IT support or an external specialist is what do I configure, how is it kept up to date, and who is responsible for it if something goes wrong. The most common failure mode of self-installed business routers in private homes is that they get installed once and never patched. That is worse than the ISP router.

One paragraph for households with children

If you have children in the house, the router is also the place where most parental-controls conversations actually start. Most modern routers — including the ISP-supplied ones — include some form of content filtering, scheduled internet access, and per-device pause controls. These are blunt tools, more useful for when the internet is off than for what the children can see, but they have their place. The router is the right place for the when. We will cover the what properly in the children-focused posts later in the series.

What this week looks like

The Saturday checklist above. If you do nothing else for the next two weeks, do the four items in bold and the guest network. The DNS and SSID changes are nice-to-haves; the four items in bold are the ones that matter most.

In three weeks: the smart-home dilemma. The devices you have invited into your kitchen, what they actually do, and the ones worth keeping.