Securing your wireless network

Wireless local area networks (WLANs) use the same basic structure of components as the traditional Ethernet-wired networks. However, instead of cables, WLANs use infrared or radio frequency technology to transmit data across the network.

Businesses typically use wireless networks within a single building, or as a building-to-building connection, often as an extension to a wired network.

What are the main components of a wireless network?

The physical WLAN architecture is fairly simple. Basic components of WLAN are typically wireless access points and network interface cards (NICs) or client adaptors. You can use other components, such as wireless bridges and repeaters, to extend the reach of your network.

Wireless access points

A central access point is basically the wireless equivalent of a LAN hub. It is a small box (with one or more aerials) that uses a connector to attach it to the rest of your wired LAN.

Access points receive and transmit data from and to all the wireless devices in their area. They can handle many different connections between different devices all talking to each other at once, but the more devices you have connected to the same an access point, the slower they will operate.

You may need more than one access point to cover a building, depending on its range and the composition of any walls or floors between the access point and the wireless network card.

Wireless network interface card (NIC)

The network interface card acts as the radio receiver and transmitter for a specific computer and connects it into the WLAN. It is coupled with the device operating system using a software driver. Most modern laptops or tablets have this Wi-Fi capability built-in, but with older desktop PCs you may need to install one.

Most wireless network cards connect to an access point. However, some NICs can enable a peer-to-peer connection - ie they can talk to other compatible network cards that are within its range. This may be useful for small roaming workgroups of devices that do not require access to the LAN backbone.

Wireless range extenders and bridges

Wireless repeaters can improve or extend the coverage of your network. They work by receiving your existing Wi-Fi signal and relaying your requests and responses between your device and your main Wi-Fi router/access point. With a repeater, you can effectively double the range of your WLAN.

Most WLANs are installed using access points that have omnidirectional aerials or antennae. These transmit wireless signals in all directions, as opposed to directional antennae, which produce a more concentrated signal focused on a narrower area. Depending on the type of signal you need, replacing the antenna of your wireless access point may give you a better range.

Wireless bridges enable high-speed long-range outdoor links between buildings. Their range is typically up to 25 miles. They are based on line-of-sight, so physical obstacles such as trees and tall buildings in the path will negatively impact the signal strength.

How to set up your WLAN?

The different components need to be compatible for the WLAN to function correctly. This is possible because they comply with a set of wireless networking standards intended to enable devices from different manufacturers to work together.

The Institute of Electrical and Electronic Engineers (IEEE) develops official standards to enable wireless local area network (WLAN) devices to work together, regardless of which manufacturer made them.

These standards focus on:

• speed - getting data transmitted faster between PCs and access points
• security - making sure that the wireless capability is not abused

You need to be aware of both factors when choosing wireless networking equipment.

What IEEE standards to prioritise in 2026

Choose Wi-Fi 6 (802.11ax) as your minimum standard. Better still, go for Wi-Fi 6E or Wi-Fi 7 (802.11be). Here's why you should prioritise a newer standard:

Faster speeds and better coverage 

Older standards (like 802.11a/b/g/n/ac) max out at 54-1300 Mbps with patchy range. Wi-Fi 6 can reach 9.6 Gbps. Wi-Fi 7 reaches a maximum of 46 Gbps - fast enough for several simultaneous high-quality video calls, 8K video streaming/VR, large file transfers, and can handle multiple users without lag.

Handles busy networks 

Modern offices have phones, laptops, cameras and IoT devices all competing for Wi-Fi. Wi-Fi 6/7 use smart technology to serve more devices at once on the same or multimple channels. This prevents slowdowns during peak demand.

Cuts interference and latency 

Neighbouring Wi-Fi, microwaves and Bluetooth cause 'noise' and new standards resist this better. Latency drops below 2 milliseconds which is vital for VoIP calls or real-time apps.

Backward compatible 

Wi-Fi 6/7 work with older devices (like Wi-Fi 5 laptops). Your current phones/tablets will be able to connect while you upgrade gradually.

Find IEEE published standards and learn more about Wi-Fi 6 standard.

When considering standards and networking equipment, choose devices that the Wi-Fi Alliance has tested and certified. This guarantees that they meet industry requirements and can work together.

Wireless local area networks (WLANs) transmit and receive data using radio waves rather than wires. This lack of a physical barrier makes WLANs vulnerable to unlawful interception, eavesdropping, hacking and a range of other cyber security issues.

Wireless network security issues and threats

The three most common WLAN security threats include:

• denial of service attacks - where the intruder floods the network with messages affecting the availability of the network resources
• spoofing and session hijacking - where the attacker gains access to network data and resources by assuming the identity of a valid user
• eavesdropping - where unauthorised third parties intercept the data being transmitted over the secure network

To counter these threats, you should make every effort to configure your WLAN correctly. You should also enable a range of security features, such as standard authentication and encryption, alongside other access control mechanisms.

Basic WLAN security features

Early wireless hardware relied on weak security methods. These no longer work against modern threats. Outdated features to avoid include:

• Service Set Identifiers (SSIDs) - these hide your network name, but hackers easily detect and bypass them
• Media Access Control (MAC) filtering - this limits connections by device hardware address, but hackers can spoof them easily
• Wired Equivalent Privacy (WEP) - this is basic, outdated encryption, now easily cracked

WEP is pretty much extinct in new hardware. Legacy devices using it risk total compromise. Even combined, these features offer little meaningful protection.

What is more, WLAN equipment often comes with security measures switched off entirely. If you don't switch these on during setup, you risk leaving your network wide open.

Upgrade your WLAN security protocols

If your WLAN still uses basic features like SSIDs, MAC filtering or WEP, upgrade immediately to Wi-Fi protected access (WPA) - specifically WPA3 with strong, unique passwords. WPA2 is acceptable as a minimum, but vulnerable to known attacks. You should enable WPA3 during router setup for best protection - most modern devices support it. 

Wi-Fi protected access (WPA) is the modern standard that encrypts your business wireless network. It replaced Wired Equivalent Privacy (WEP), which proved particularly vulnerable to hacking.

The Wi-Fi Alliance created WPA protocols to scramble wireless data using stronger encryption. Three generations of protocols evolved to meet growing threats:

• WPA (2003): First fix for WEP - now obsolete.
• WPA2 (2004): This was industry standard for 20 years. Now proven vulnerable to KRACK attacks that steal data mid-session.
• WPA3 (2018): This is the current best practice standard. It offers better protection against password guessing and session attacks, and adds forward secrecy, which means past sessions stay safe even if the system gets compromised.

How does Wi-Fi protected access (WPA) work

With all WPA versions, your router and devices start with one shared password. They use it to mathematically generate different encryption keys for every single data packet - emails, files, web pages. If a hacker intercepts one packet, the key expires immediately. The next packet uses a completely new key. They can't unlock anything without cracking millions of maths calculations per second.

Which WPA should your business have

The National Cyber Security Centre (NCSC) recommends WPA3 for all new wireless network deployments. There are two modes for businesses. You should choose the mode based on your business size and security needs.

Personal mode

This is best for small businesses and teams with under 50 devices. It uses a pre-shared password or passphrase for authentication. Each device gets individual encryption keys, which means that one compromised device doesn't expose others. It's best suited for simple office Wi-Fi, retail or home workers. It works with Wi-Fi 6/7 and most routers since 2020 support it.

Enterprise mode

This is for medium to large businesses with 50+ devices or regulated sectors. It uses a more sophisticated method of encryption with individual user authentication for each user/device. It is required for government contracts, financial services and healthcare sectors, and essential where cyber insurance mandates strong authentication.

Upgrading to WPA3

Most businesses can upgrade their networks to WPA3 without needing technical expertise. It involves logging into your router to change the security setting from WPA2 or WEP to WPA3, creating a strong password, saving the changes and reconnecting your devices. Most modern phones, laptops and printers work fine immediately.

If you're unsure how to do this, ask your ISP or IT support to enable WPA3 for you. WPA3 will work alongside your existing WPA2 devices during upgrade, avoiding the need to replace all of your equipment at once.

Find out more about WPA3.

It's important to note that even WPA3 is not impervious to threats. You should mitigate them via regular software upgrades, including patches to your operating systems and router firmware.

Keep in mind that wireless hardware manufacturers often supply their products with the security settings turned off. Make sure that you set the device up properly before using it. See 10 tips for better wireless network security.

The latest security protocols, based on Wi-Fi protected access (WPA), can help strengthen your wireless local area network defences, but they don't necessarily stop all attacks. You should consider adding virtual private networks and firewalls as additional ways of boosting your network security.

Virtual private networks (VPNs)

VPNs create an encrypted tunnel for all your Wi-Fi traffic, protecting data even if your wireless network uses weak security, or if you're on a public Wi-Fi like coffee shops, hotels or client sites. When used with WPA3, they effectively provide double encryption, keeping data private even when Wi-Fi security fails.

VPNs are essential for:

• remote working - employees safely accessing company files and systems from home
• multi-site businesses - linking branches, warehouses and remote offices with encrypted connections
• guest Wi-Fi isolation - allowing customers to use your Wi-Fi safely without accessing internal systems or seeing employee traffic
• compliance requirements - often mandatory for cyber insurance policies, and necessary for Cyber Essentials, ISO 27001 and data protection compliance

While VPN encryption adds strong protection, it isn't perfect and there are some limitations. For example, you may experience:

• set up challenges - design and deployment often need expertise and most small businesses will need IT consultants
• roaming issues - moving around big buildings/sites can cause connection to drop briefly, as the devices switch between Wi-Fi access points
• performance and speed issues - double encryption reduces throughput and slows down large file transfers
• battery drain - mobile devices and laptops lose more battery with VPN always on

See more on possible problems and security issues in wireless networking.

Firewalls

A firewall is a device or piece of software that controls what data is allowed to pass through it. Effectively, it acts as a digital guard, checking the network and blocking unauthorised traffic.

You can use a firewall in a network for:

• guest Wi-Fi isolation - to separate an insecure part of the network from the secure area where your most critical data is managed
• wireless/wired separation - to split traffic to stop compromised Wi-Fi devices spreading malware to your trusted desktop network
• traffic filtering - to block staff accidentally visiting phishing sites or downloading malware through Wi-Fi

Most broadband routers include basic firewalls, but they rarely protect your WLAN properly. You may need an additional device depending on your network design.

Unless you have good IT security skills available internally, you should seek advice from an experienced consultant to help you design your network and configure your firewall.

It's important to understand that no single solution will give you guaranteed protection against existing network vulnerabilities. In most cases, the best way to secure your wireless network is to:

• set up and maintain the network and the connected devices correctly
• implement appropriate safety measures
• train your staff on acceptable use and networking best practices

Find 10 tips for better wireless network security and read about server security.

A secure wireless network protects your data and operations. Here are some ideas to help you improve your wireless local area network (WLAN) security and get the most out of wireless networking:

Assume hackers target everyone

Hackers scan for unsecured Wi-Fi 24 hours a day. Even small businesses face attacks. If compromised, your network could let attackers reach your customers or suppliers, and one breach is enough to damage your business reputation permanently. To get a better understanding of online threats, see cyber security for business.

Upgrade to WPA3 encryption

If your devices rely on basic WLAN security features such as Wired Equivalent Privacy (WEP), or out of date Wi-Fi Protected Access (WPA) protocols, upgrade them to WPA2 to WPA3 where possible. Modern devices with the latest security protocols offer better protection, especially when used with strong passwords of 20 characters or more.

Choose compatible equipment

Make sure that your new WLAN equipment matches the required wireless networking standards. If possible, order equipment from the same manufacturer to ensure that it's compliant and compatible. If buying from different manufacturers, look for the Wi-Fi Alliance certification mark to ensure devices work together securely.

Change all default passwords

Always enable security features when installing new equipment. Make sure the devices have unique complex passwords, not using common factory default passwords. Many devices now come with unique passwords pre-configured, but you need to ensure this information is not left with the device if it is in a public area where anyone can see it. Read more on Wi-Fi protected access (WPA).

Position access points carefully

Place access points (which transfer data between your devices) away from external walls and windows. This reduces signal leakage outside your building and limits the chances of interception. Use a Wi-Fi analyser app to check coverage.

Authorise all Wi-Fi devices

Only allow approved routers and access points on your network. Check for unauthorised devices weekly. Block staff adding personal routers as one insecure access point could put your entire network at risk. Read more about access points and other wireless network components.

Use a virtual private network (VPN) for remote access or on public Wi-Fi

Require staff to use VPN to access company systems from home, coffee shops, hotels or client sites. A VPN adds a second layer of encryption to WPA3, and protects your data, multi-site office connections and cloud services.

If you can, use firewalls to isolate the WLAN from the rest of your network. See how to improve network security with VPN and firewalls.

Check your network logs regularly

Monitor your network and review router logs periodically for unknown devices or unusual activity, to make sure that your network has not been broken into. If you are not sure how to do this, call in an outside expert. You may also want to set up alerts for failed login attempts. Act quickly if you notice anything suspicious.

Update equipment regularly

Keep software and router or wireless access point firmware up-to-date as this makes it much more difficult for hackers to exploit weaknesses. Enable automatic updates where possible and restart your router every three months to clear up cached data, fragmented connections and memory leaks.

Get an independent security check

Finally, unless you have good technical skills in your business, consider bringing in external experts to check your security measures and test your network each year. They may uncover weaknesses you might have missed. Ask them for a written report from your security audit - this will identify your risk rating, issues found, and give you instructions on how to resolve them. This documentation can be helpful as insurance proof in case of a claim, or as compliance evidence if you're applying for Cyber Essentials certification.

Follow other best practice tips to protect your business online.