Guest WiFi for Employee Devices

guest-wifiWe have two important dynamics that are having huge negative repercussions to network security in most businesses.  These are hitting small businesses harder than large ones, where some of these issues are governed by corporate policy.  But policy is not preventing these trends very well.

The first issue is the desire of employees to keep up on their personal email and social network accounts (Facebook, Instagram, Twitter, etc) while in the office.  This introduces a stream of email, attachments, links, videos, and downloads that have not been vetted by corporate email systems, and bypass firewalls and other security systems.  Since web browsers have to be available for business use, HTTP port 80 is open on every firewall.  All this stuff rides in on unblocked, unfiltered, and unprotected port 80.  The largely ineffective solution is to ban this behavior through company policy, or block sites like Facebook at the firewall.  Most employees will still engage in this activity when possible.

The second issue is the presence of BYOD devices including smartphones, tablets, and personal laptops.  In many cases the employees are linking up to corporate wireless access points and joining the corporate network, where any embedded malware on personal devices can spread to corporate computer resources.

You can educate, cajole, harangue, and even terminate the offenders, but you will not stop this behavior, especially among your millennial employees, for whom this is just part of their everyday life.  But it is not just millennials, everyone is plugged in these days.  So if you can’t beat ’em, accommodate them.  The best solution is simply to allow it, with conditions.

Set up a separate guest wireless network for your employees to use with their personal smartphones, tablets, and laptops.  You may have one already for actual guests or clients to use, and if so, encourage your employees to use that network, and ask them, as a matter of security, to stay off the corporate WiFi.  If you do not have a second wireless network, I urge you to set one up for this purpose now.  It’s even better if you set it up on a separate network segment and segregate it from your corporate network.  This way they can use their own devices to read their personal email, and any emails bearing “gifts” from cyber-criminals will not migrate into the corporate computer network to cause expensive problem.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.