top of page
Search

How Secure Is Your Business Wi-Fi?

  • Writer: Joseph Rapley
    Joseph Rapley
  • Jul 4
  • 4 min read

Guest post from TheXero


For many small and medium businesses, Wi-Fi is something that’s set up once and rarely thought about again, until something goes wrong. But just because it’s working doesn’t mean it’s secure. Poorly configured wireless networks are a common source of security vulnerabilities on your internal systems.

Why-Fi?
Why-Fi?

Why Wi-Fi Security Matters

Even in 2025, wireless networks remain a weak point in many businesses. That’s because Wi-Fi is often treated as “set and forget” infrastructure, while the threats have continued to evolve. Adversaries are no longer just looking to guess a password, they’re running rogue access points, capturing handshake data, and tricking devices into leaking credentials.


If your Wi-Fi is not properly secured, an attacker could sit in your carpark and gain access to your internal network in minutes. That’s not theory, it’s something we’ve seen in real-world tests.


Let’s take a look at the three main types of Wi-Fi networks most NZ SMBs are using, and how each should be secured.


1. Corporate Wi-Fi (Company Devices)

Most businesses have a primary wireless network used for company laptops, phones, printers and other work-related gear. This is often named something like COMPANY_CORP.


For true security, this network should use WPA2 or WPA3 Enterprise mode with RADIUS authentication. This allows devices to log in using individual credentials or certificates, rather than a shared password.

Ideally:

  • The network should require both client and server certificates (EAP-TLS). This ensures that only trusted devices can join, and that they’re connecting to a verified network.

  • Expired or lost devices can be revoked by removing the certificate, without affecting other users.


The reality for many SMBs, though, is that certificate-based setups are seen as too complex. As a result, many still rely on WPA2-PSK (pre-shared key) – a single password shared among all devices.

The problem?

  • Anyone with the password can access the network – including ex-staff, contractors, or even guests.

  • If that password leaks, the entire network is at risk.

  • Adversaries can capture a handshake and crack weak passwords offline using tools like Hashcat or John the Ripper.


What to do:

  • Move to WPA2/WPA3 Enterprise with RADIUS if possible.

  • If using a PSK, change it regularly and use a long, unique passphrase (not a default or reused one).

  • Consider onboarding tools like Microsoft Intune or JumpCloud to help manage certificate deployment if you don't have a full internal IT team.


2. BYOD Wi-Fi (Personal Devices)

A Bring Your Own Device network is often set up so staff can connect their personal phones or tablets to the internet during the workday. This network might be called COMPANY_BYOD.


Too often, this network is poorly isolated meaning that once connected, users might still be able to reach internal company systems. That opens the door to:

  • Malware spreading from a compromised personal device to internal systems.

  • Internal assets being scanned or accessed from unauthorised devices.


What to do:

  • Use VLANs or separate firewall zones to fully segregate the BYOD network.

  • Block all access from BYOD to the corporate network and treat it as untrusted.

  • Rely on allow-listing rather than deny-listing to grant only specific access to devices on this network.


3. Guest or Public Wi-Fi

Nearly every business that hosts clients or customers offers some form of guest WiFi. It might be a simple network like COMPANY_GUEST, or a hotspot with a login screen.

If not properly isolated, guest users could:

  • Scan the local network and find open ports or shared files.

  • Attempt brute-force attacks against internal systems.

  • Trigger privacy or compliance issues if customer data is exposed.


What to do:

  • Use a captive portal to require acceptance of terms or track usage.

  • Place the guest Wi-Fi on a completely separate internet connection or VLAN.

  • Ensure no access to internal business systems is possible from this network.

  • Ensure device isolation is present, so that adversaries cannot use the guest Wi-Fi to attack other guests on the same network.


Real-World Wireless Attacks Are Evolving

Modern attackers don’t need to guess your WiFi password anymore. They use tools like hostapd-mana to impersonate your WiFi network, trick devices into connecting, and then harvest credentials.


In a recent case study shared by TheXero, an attacker set up a rogue access point mimicking a corporate Wi-Fi name. Even when the attack failed to steal credentials directly, the attacker was able to trick a laptop into joining a fake “home” network. From there, they used a tool called Responder to capture the user’s Windows login credentials over the air, without the user clicking anything.

This is a real threat for any business with staff who:

  • Take laptops home or to cafés

  • Use devices that auto-connect to known networks

  • Lack outbound firewall or VPN enforcement


If your network is not hardened, and your staff devices aren’t locked down, these kinds of attacks can lead directly to stolen credentials, business email compromise, or worse.


How to Protect Your WiFi and Devices

Here’s what we recommend for any small or medium business in NZ:

✅ Use WPA2/WPA3 Enterprise with certificate-based auth for corporate Wi-Fi

✅ Change PSKs regularly if you're still using shared passwords

✅ Completely isolate BYOD and guest networks ensuring no crossover

✅ Disable legacy protocols like LLMNR and NetBIOS on staff devices

✅ Enforce outbound firewall rules and VPNs on laptops

✅ Require MFA for all cloud services like Microsoft 365

✅ Schedule regular Wi-Fi security reviews and testing


Get Your Wi-Fi Tested

At Cyberoptic Security, we help New Zealand businesses secure their wireless networks through professional Wi-Fi testing and configuration reviews.

Whether you’re using a shared PSK, moving to RADIUS, or want to understand your exposure to rogue AP attacks, we can help. We test your networks from an attacker’s point of view and give you a clear, practical report on where the risks are, and how to fix them.


We also recommend the Wireless Mastery training course by our industry colleague TheXero, which covers these techniques in detail and is ideal for learning about the many security attacks and defence mechanisms of Wi-Fi networks.

WiFi Attacks Specialist
WiFi Attacks Specialist

Need help securing your wireless networks?

Get in touch with Cyberoptic Security – we’re here to help protect your business from wireless threats, today and in the future.

 
 
bottom of page