Secure your small business network

You need to think about your business’s network security as soon as you have any of the following:

• employees who need access to business applications and accounts
• multiple devices linked to your network – like laptops, phones, and printers
• customers or guests who want to use the internet (WiFi) while they’re at your office.

The more devices and users you have on your network, the more opportunity there is for attackers to find a way into it.

Getting started

Before you do anything else, you need to make sure you have the basics covered. This means starting with your router security.

Your router is what connects your business network to the internet, and you may also use it as a wireless access point to give your office WiFi. You’ll need to make sure:

• you’ve changed the default login credentials for your router
• you’ve changed the name of your wireless network
• you’ve set a password for your wireless network
• you’re using WPA2 or a later version for wireless security
• you’re keeping your router up-to-date
• you’ve enabled any built-in firewalls, and restricted any management interfaces and ports so they’re not exposed to the internet.

If you haven’t, check out our guide to securing your home network for more information on what to do.

Secure your home network

When you’ve done this, there’s a few other things you need to make sure you cover as well. If you need help with any of them, talk to your IT service provider — they can give you a hand to get your network sorted.

Set up a guest network for your customers

Setting up a guest network is a bit like setting up a different account on your wireless router. It will let your customers access the internet through a network on your router that’s separate to the one you and your staff use. It has a different network name, and a password you can share with customers who want to use WiFi.

A guest network will help keep your business network safe. For example, if a customer’s phone had malware on it and they connected to the internet through your business network, the malware could get into the network — and your devices — without you knowing. You can configure a guest network to stop that happening, and keep your business network private.

It should be configured in a way that will:

• only give it access to the internet. It should not have access to connect to other devices on your business network
• stop it talking to other devices on other networks. Some routers will let you set this up in the management or administration portal. Others will need you to configure a separate local area network (LAN) yourself.

Disable unused features

If the devices on your network have features that you don’t use, you should disable them. This includes a feature on your router called WiFi Protected Setup (WPS). WPS aims to make connecting wireless devices to your network faster and easier. It lets you connect devices, like printers, to your network without entering the network password. Instead, WPS uses:

• a PIN
• near field communication (NFC), if the device is close enough
• a push-button on the router, or
• a USB.

Unfortunately, there are vulnerabilities with this feature that an attacker can use to gain access to your network. For example, an attacker could go through a list of all possible PIN combinations to find the right one to log in with (known as a brute-force attack). If they got access to your network, they could use it to get access to your other devices and the information you hold on the network too.

We recommend you disable WPS. Your router’s manual should explain how to tell if WPS is enabled or not — it’s often enabled by default. You can usually disable it in your router’s administration portal.

Move your router to a secure location

It’s important to keep your router, and other similar network devices (like your Switches ), in a place where no-one can tamper with them. They should be somewhere secure where only you, or a trusted employee, can access them. This could be a locked cupboard, for example.

If you keep your network devices somewhere there’s open access to them, an attacker could do a lot of damage. You run the risk of unintentional harm, too. For example, someone could:

• plug an ethernet cable into one of the ports to access parts of the network kept private and secure from others, or the administrative interface of the router itself
• press the reset button (whether by accident or on purpose) and reset your devices back to their factory settings. This means that any settings you defined will need to be redone. It also means that your network is open to attack. Anyone could connect to it while it’s running on default factory settings — by logging in with the router’s default credentials, for example.

Restrict employee access to networks and devices

When you have a range of roles within your business, you may want to think about restricting access to parts of your network or server. Some roles need a higher level of access than others. For example, if you use a back office computer for doing payroll and accounting, you may want to:

• make sure that computer is on a separate network from the others in the business
• limit access to that computer and network — it should only be those employees who need access who have it.

This is the ‘principle of least privilege’. It means only having the access you need to do your job. You can set different permissions for each role based on the level of access they need. You can segment the network or server so that staff can only access the parts of it that their role has permissions for.