_Part 7 of 12 in the Cyber security for the small business series._
Your network is the road system that connects all your digital devices and allows them to communicate with each other and the internet. Like any road system, it needs traffic controls, barriers, and rules of the road. This month covers the practical steps to secure your office network, your Wi-Fi, and the increasingly common scenario of staff working remotely.
Your router is your only firewall
For most small businesses, the internet router supplied by your broadband provider is the only thing standing between your internal network and the entire internet. It acts as a basic firewall, controlling what traffic can pass in and out. It is therefore critically important that it is configured securely. The defaults out of the box are almost always too generous.
Change the default administrator password. Every router ships with a default username and password, and those defaults are publicly known (you can find them online in seconds). Changing them to something strong and unique should be the first thing you do. Use the password manager you set up in April.
Update the firmware. Router manufacturers release firmware updates to fix security vulnerabilities. Check your router manufacturer's website for the latest version, or enable automatic updates if your router supports it. We talked about firmware as the most overlooked update category last month — your router is exactly what we meant.
Disable remote management. Unless you specifically need to manage your router from outside your network (most businesses do not), this feature should be turned off. It is an unnecessary entry point.
Review open ports. Your router should not be forwarding any traffic to internal devices unless there is a specific, understood business reason. If you do not know what port forwarding is, the safest position is to ensure none is configured. If your IT provider set up port forwarding for a legacy system, ask them why and whether it is still needed.
Securing your Wi-Fi
If your business uses Wi-Fi — and almost all do — there are a few straightforward steps that materially improve security:
Use WPA3 encryption, or WPA2 as a minimum. Older encryption standards such as WEP and the original WPA are broken and provide no meaningful security. Check your router settings to confirm which standard is in use.
Set a strong Wi-Fi password. This should be different from the router's administrator password. A passphrase of four or five random words works well and is easy to share with staff.
Create a separate guest network. Most modern routers support multiple wireless networks. Put your business devices on one and visitors, personal phones, and IoT devices (smart speakers, smart TVs, security cameras) on another. This prevents a compromised guest device from reaching anything that matters. If a visitor's malware-ridden laptop joins your guest network, it does not get to talk to your accounting system.
Change the default network name (SSID). A minor measure, but it avoids advertising which router model you are using, which makes life slightly harder for attackers looking up known vulnerabilities.
Remote and hybrid working
The shift towards remote and hybrid working has expanded the security boundary of every small business. When your staff work from home, from coffee shops, or from client sites, your data is travelling across networks you do not control.
VPNs. A virtual private network creates an encrypted tunnel between a remote device and your business network, protecting data in transit from anyone who might be monitoring the network. If your team regularly works remotely and accesses business systems, a business VPN is a worthwhile investment. Reputable options include Tailscale, Cloudflare Zero Trust, and the VPN built into many business firewall products. Cost is typically £5–10 per user per month.
Public Wi-Fi is inherently risky. Coffee shop Wi-Fi, hotel Wi-Fi, and airport Wi-Fi are shared networks where other users could potentially intercept traffic. If your staff need to work from such locations, a VPN is essential, not optional. The shorter alternative is to use the mobile network — tethered from a phone — rather than the public Wi-Fi, which avoids the issue entirely.
Home routers. You cannot control your employees' home networks directly, but you can provide clear guidance. A one-page note covering change the default password, enable automatic firmware updates, use WPA2 or WPA3, and separate guest network if visitors stay over is enough for most home setups. Most modern home routers do most of this automatically; the missing piece is usually the default password.
Devices used at home. If staff are using personal devices for work email, they are introducing your data to whatever security posture their household has. This is not necessarily wrong — many small businesses operate this way and have to — but be aware of it. The cleanest answer is business-issued devices. The realistic compromise is a written list of what staff personal devices must have (a passcode, automatic updates, an up-to-date OS) before they touch business data.
What July looks like
Walk to your router. Find the model number. Check the manufacturer's website for the current firmware version. Compare against the version on your router (usually in the admin page). If the router is more than five years old, replace it — by 2024 the cheap end of the business router market is genuinely capable, and the cost is paid back the first time it stops something.
While you are in the admin page: change the admin password, turn on WPA3 (or WPA2), set up a guest network if you have not already, and turn off remote management if it is on.
That single afternoon's work, done once, will outlive any product the firm buys this year.
Next month
August: malware. What it actually is, how it actually gets in, and the layered defences that catch it when one of those layers slips.
Cyber Essentials note
This month's work covers Cyber Essentials control 1, Firewalls (and Internet Gateways). Three of the five controls are now substantially in place if you have done the work in April, June, and July.