An insecure Wi-Fi network is one of the easiest entry points for attackers. This practical guide covers what Melbourne businesses need to do to protect their wireless infrastructure.
Wireless networks are the connective tissue of the modern office - but they’re also one of the most commonly overlooked attack surfaces. A misconfigured Wi-Fi network can give an attacker sitting in your car park a route straight into your business systems. The good news is that securing your wireless infrastructure doesn’t require enterprise-level complexity or budget. It does require deliberate configuration and ongoing discipline.
Here’s what every Melbourne SMB should have in place.
Use WPA3 - and Know What You’re Actually Running
WPA3 is the current standard for wireless security. It replaced WPA2 as the certification standard in 2018, but plenty of business networks are still running WPA2 - or worse, a WPA2/WPA3 mixed mode that defaults to the weaker protocol when older devices connect.
Check what your access points are running. Most modern business-grade access points (Cisco Meraki, Ubiquiti UniFi, Aruba Instant) support WPA3 in at least some form. Enable WPA3-Enterprise if your environment supports 802.1X authentication; WPA3-Personal (with SAE) is a solid baseline for smaller setups.
If you have devices on your network that don’t support WPA3, that’s a separate problem worth addressing. Ageing hardware that can’t support modern security protocols is a liability.
Segment Your Network - At Minimum, Separate Guest from Corporate
Running a single flat wireless network where visitors, personal devices, and corporate workstations all share the same segment is a significant risk. One compromised guest device can scan and attack everything else on the same subnet.
The baseline requirement for any business network is a separate guest VLAN with internet access only - no visibility into corporate resources, file shares, printers, or internal servers. Your router or managed switch should enforce this at the network layer, not just rely on a different SSID name.
For more mature environments, consider additional segmentation:
- Corporate VLAN: Domain-joined workstations and managed devices only
- IoT/AV VLAN: Smart TVs, video conferencing endpoints, printers, and other devices that don’t need access to corporate file systems
- Guest VLAN: Internet-only access for visitors
Each VLAN should have its own firewall rules controlling what traffic can move between segments. This is microsegmentation in practice - if something on the IoT network is compromised, it can’t reach your accounting software.
SSID Hygiene
A few quick wins on network naming and configuration:
Don’t broadcast your company name in your SSID. “CX_IT_Corporate” is an invitation to targeted attacks. A nondescript name gives nothing away to someone wardriving your street.
Disable SSID broadcast for your corporate network if your devices are all managed. Managed devices can be configured to connect to a hidden SSID; the inconvenience of not broadcasting is worth the marginal reduction in visibility. Note: hidden SSIDs are not security in themselves, but they reduce casual reconnaissance.
Audit your SSIDs periodically. It’s surprisingly common to find old SSIDs still broadcasting from an access point that was never properly decommissioned. Every active SSID is a potential attack surface.
Strong, Rotated Passwords (and Better Yet, Certificate-Based Auth)
If you’re using a pre-shared key (PSK) for your corporate network, it should be complex, not written on a whiteboard in the kitchen, and rotated at least annually - or whenever a staff member with knowledge of it leaves. A 20+ character random passphrase is appropriate.
For a more robust approach, move to 802.1X authentication with RADIUS. Each user (or device) authenticates with their own credentials, typically tied to your Active Directory or Azure AD identity. This means there’s no shared secret to leak, and you can revoke individual access without changing the password for everyone. Microsoft’s Network Policy Server or a cloud RADIUS service can deliver this without enormous complexity.
Rogue Access Point Detection
A rogue AP is an unauthorised wireless access point on your network - either an attacker’s device plugged into a network port, or a well-meaning employee who brought in a cheap router because the Wi-Fi in the back office was weak. Both represent serious security risks.
Business-grade wireless management platforms (Meraki, UniFi, Aruba) include rogue AP detection as a standard feature. They continuously scan the radio environment, identify APs not on your approved list, and alert you. Enable this and configure alerts to go somewhere someone will actually see them.
At minimum, physically audit your network ports periodically to ensure nothing unexpected is plugged in.
Firmware Updates and Vendor Support
Wireless access points are firmware-driven devices with a regular cadence of security patches. Many SMB networks have access points running firmware that’s two or three years out of date. Unpatched vulnerabilities in AP firmware are a real and exploited attack vector.
Check your access points’ firmware version against the vendor’s current release. Enable automatic firmware updates where the platform supports it (Meraki does this well). If your access points are end-of-life and no longer receiving security updates from the vendor, they need to be replaced.
Monitoring and Logging
Know what’s happening on your wireless network. At minimum, you should have:
- Authentication logs: who connected, when, from what device
- DHCP logs: which IP addresses were assigned to which MAC addresses
- Alerts on unusual connection patterns (large volumes of failed authentications, new device types, connections at unusual hours)
These logs are essential for incident investigation and are increasingly required by cyber insurance policies. They don’t need to be complex to set up - most business-grade wireless platforms include this capability out of the box.
A Quick Self-Assessment
Run through these questions about your current wireless setup:
- Are you running WPA3 (or at minimum WPA2-Enterprise with strong keys)?
- Is your guest network isolated from corporate systems at the network layer?
- Do you have rogue AP detection enabled?
- When did you last update your AP firmware?
- When did you last rotate your wireless password?
- Do you know what devices are currently connected to your network?
If you answered “no” or “I don’t know” to more than two of these, your wireless security needs attention.
CX IT Services provides wireless network audits and managed Wi-Fi solutions for Melbourne businesses. If you’re not confident your wireless environment is properly secured, we can assess it and fix what needs fixing.
