Got roasted in a security audit for using the same Wi-Fi password for guests and staff

Last month we had a security consultant come in to review our small office setup. She looked at our network config and asked why guests could access the same file server as employees. I told her it was fine because we trust our clients. She said trust is not a security policy and pointed out that anyone sitting in our waiting room could potentially grab sensitive files. She made me set up a separate guest VLAN with no access to internal resources. Took me about two hours to reconfigure the router and test everything. I felt stupid I didn't think of it myself since the hardware supported it the whole time. Does anyone else run separate networks for visitors or just wing it like I was?

2 comments

2 Comments

jade6181mo ago

Push back a little here. Separate guest networks are smart, but your old setup wasn't that bad if you had a decent password and rotated it every few weeks. We run a tiny dental office with one router. Our guest wifi is a different SSID with the same subnet but isolated by the router's built-in guest portal. Takes five minutes to enable, no VLANs needed. The real risk was your file server being accessible from the waiting room, but that's more of a shared folder permission issue than a total network overhaul. Sounds like that consultant overcomplicated things for a small office.

the_piper29d ago

Hung onto your consultant story way longer than I should. Something similar happened at my buddy's coffee shop last year where they had one network for everything including the point of sale system. A customer sitting there sipping a latte got curious and started poking around and found the printer queue which had customer credit card slips from the day before. The owner said the same thing to me that you did. He was like we trust our regulars. Then we asked him how well he knew the guy who ordered the decaf oat milk latte with extra foam. He didn't even know the guy's name.