October 16. Access Control: Securing Your Digital Gateways (Wi-Fi & Networks)

Your Wi-Fi network and broader internal networks are the digital gateways to all your connected devices, resources and data. Just as a physical building needs secure entrances, your networks require robust access controls to prevent unauthorised entry and protect everything within. Ignoring network security is like leaving your front door wide open.

For Home Wi-Fi:

• Change Default Credentials: Immediately change the default username and password for your router. These are often generic and easily found online.

• Strong Encryption (WPA2/WPA3): Ensure your Wi-Fi network is using WPA2 or, even better, WPA3 encryption. This scrambles your data as it travels over the air, preventing eavesdropping. Avoid older, weaker encryption like WEP or WPA.

• Strong Wi-Fi Password (Passphrase): Use a long, complex password for your Wi-Fi network itself.

• Separate Guest Network: Most modern routers allow you to set up a separate guest Wi-Fi network. Use this for visitors and smart home devices (IoT) that don't need access to your main network. This isolates them and limits potential vulnerabilities.

• Disable WPS: Wi-Fi Protected Setup (WPS) can be convenient but often has security flaws. Consider disabling it.

• Regular Firmware Updates: Keep your router's firmware updated. These updates often include critical security patches.

For Organisational Networks:

• Network Segmentation: Divide your larger network into smaller, isolated segments (VLANs). For example, separate guest Wi-Fi, employee networks, server networks, and IoT devices. This limits the lateral movement of an attacker if one segment is compromised.

• Firewalls: Implement and properly configure network firewalls to control all incoming and outgoing traffic, blocking unauthorised connections and malicious content.

• Intrusion Detection/Prevention Systems (IDS/IPS): These systems monitor network traffic for suspicious activity and can alert you or automatically block threats.

• Strong Access Control Lists (ACLs): Define explicit rules for who can access what resources on the network.

• Wireless Security: Implement enterprise-grade wireless security, including strong authentication protocols (like WPA2-Enterprise with RADIUS), and regular audits of wireless access points.

• Vulnerability Scanning and Penetration Testing: Regularly scan your networks for vulnerabilities and conduct penetration tests to identify potential entry points for attackers.

• Logging and Monitoring: Collect and review network logs for suspicious activities.

Securing your networks is fundamental to protecting all connected devices and the valuable data they transmit and store. It's a continuous process of configuration, monitoring, and adaptation.

Some considerations for Wi-Fi best practice in schools:

1. Active Monitoring - ensure all your access points are working and switched on.  In a school access points are often unplugged by other members of staff due to the layout of the building when there is a classroom move around.
2. Wireless Management - consider the use of wireless management which offers more than configuration and logging.
3. Prioritise Usage - if allowing casual use by staff/visitors for their mobile phone, ensure that critical applications, such as VoIP (phone system) and admin systems get priority over non business usage. 
4. Guest Policies - consider a guest Wi-Fi network where the password can be shared for visitors and guests/contractors where the network resources are restricted, i.e. no access to printers or network files.  Change the guest password regularly.  If you are part of a Trust that has central staff that move between schools regularly, set up a 'Trust Wi-Fi' so that their devices connect at each location smoothly and with the correct access. Don't make the password the name of the establishment or Password123, ensure it is appropriate.
5. Firmware Updates -Ensure the firmware on the router is kept up to date to help prevent a cyber attack.
6. Ensure any default user names and passwords have been changed for the access points. 
7. Have a unique SSID (Service Set Identifier) and ensure it's not easy to guess.
8. Ensure the data on the Wi-Fi network is encrypted by using Wi-Fi Protected Access (WPA), WPA2 and WPA3.
9. For larger systems, consider installing a firewall.
10. Review the NCSC Wi-Fi Guidance
11. Review the DfE Wi-Fi Network Standards for Schools and Colleges.

Source of information: Article: EdTech Best Practices Implementing New Wireless Network
Source of information: CISA Securing Wireless Networks

If you're a school or multi academy trust then review the DfE Wireless Network Standards, we have resources and trackers to help you assess and track your progress: DfE Digital Standards Trackers.  The DfE Wireless Network Standards are now statutory and all schools and colleges should aim to meet the standards by 2030.  The DfE Wireless Network Standards cover:

🛜 Wireless Standard
🛜 Wireless Signal
🛜 Central Management
🛜 Security Features

💡Today's Cyber Tip: Change Your Router Password!

Today, log into your home Wi-Fi router (usually by typing its IP address into a browser) and change the default administrative password to a strong, unique one. This protects your network settings.

More questions like these are in our Information and Cyber Security Checklist (only viewable with a valid Data Protection Education subscription):
{module title="Checklist: Cyber Security"}

We have a DfE Digital Standard Tracker for Wireless Networks, watch our video:

DPE Knowledge Bank Guidance and Support:

For schools and colleges, six of the DfE Digital Standards are now mandatory. We have a DfE Digital Standards Tracker tool help you track your cyber resilience and your progress: 

   

Review our Cyber Security Best Practice Area for micro learning, support, guidance and policies:

Cyber Security Best Practice Area

Why not have a look at our 'specialist' trainer Harry the Hacker :