When people think about cyber security, they picture phishing emails, ransomware and compromised SaaS accounts. What most teams forget is that the wireless network is often the biggest, flattest, least-guarded entry point into the business. A shared PSK on a whiteboard, an old SSID still live “for compatibility”, a random access point someone plugged in to “boost signal” – these are the small cracks attackers look for.
In a city like London, your airspace is crowded: neighbouring SSIDs, contractors, visitors, and an army of personal devices. If you haven’t deliberately engineered wireless security, you’ve probably inherited a patchwork of quick fixes. This guide walks through a pragmatic approach to locking down office Wi-Fi without wrecking usability.
Why Wi-Fi is such an attractive target
An attacker doesn’t need a phishing campaign if they can sit in your car park and join a misconfigured SSID. Common issues we still see in live environments:
- Shared passwords everywhere
One pre-shared key (PSK) for all staff. It’s on the whiteboard, in onboarding PDFs, and in old emails. When someone leaves, the key rarely changes. - Legacy encryption and “compatibility” SSIDs
Old WPA/WPA2-PSK networks left up for a printer or “that one old laptop”. Over time, they become the default for half the office. - Flat networks
Laptops, guest phones, AV bars, IoT and building management systems all share one broadcast domain. Compromise any device, move laterally at will. - Rogue or “helpful” access points
A consumer router plugged under a desk to “fix dead spots” bypasses your segmentation and introduces an unmanaged radio into the air. - No meaningful visibility
Authentication failures, suspicious MACs, repeated attempts from the car park – none of it is monitored or alerted on.
The good news: you can close most of these gaps with a small number of structural changes.
Step 1: Fix how people and devices authenticate
Move away from the “one password for everyone forever” model.
Use 802.1X with certificates for staff devices
For corporate laptops and mobiles, aim for WPA2/WPA3-Enterprise with 802.1X and certificate-based authentication (EAP-TLS):
- No passwords for users to share or reuse.
- Access can be revoked centrally by disabling a certificate or account.
- You can apply role-based policies (e.g., finance vs engineering) using RADIUS attributes.
If you already have an identity provider and MDM, this is often easier than it sounds: devices are enrolled, certificates issued, and Wi-Fi profiles pushed automatically.
Use per-device PSKs for AV & IoT
For devices that can’t do 802.1X (meeting-room screens, bars, some IoT), use per-device PSKs (DPSK/PPSK):
- Each device gets its own key, mapped to a specific VLAN and policy.
- Compromise one device, revoke one key – nothing else is affected.
- You can restrict a TV to just talk to the conferencing service and controller, not your entire network.
Guest access: isolated and disposable
Guests should never share the same SSID or credentials as staff:
- Put guests on a dedicated SSID and VLAN with client isolation enabled.
- Use short-lived vouchers or simple captive portals.
- Apply bandwidth limits and basic filtering so guest traffic can’t starve your corporate users.
Step 2: Design the network with segmentation in mind
Once authentication is sorted, decide who’s allowed to talk to what. Think in classes of devices, not individual MAC addresses.
- Corporate VLANs
Laptops and mobiles, with access to core business apps, file shares and collaboration tools. Apply role-based access via your firewall or NAC if needed. - AV / IoT VLANs
Meeting-room kit, building-management systems, sensors, cameras. Strict least-privilege rules – often these only need to talk to a controller or cloud endpoint, not your entire LAN. - Guest VLAN
Egress to the internet only. No east-west connectivity between guests.
The important bit: default-deny east-west traffic, then add explicit allows. This drastically shrinks the blast radius if something gets compromised.
Step 3: Tidy the RF – security and stability go hand-in-hand
Messy RF design isn’t just a performance problem; it’s also a security issue. Poor coverage, sticky clients and noisy channels incentivise people to “fix” things with rogue kit.
Key hygiene points:
- Use as few SSIDs as you can
One for staff (802.1X), one for devices/AV (per-device PSKs) and one for guests is usually enough. Extra SSIDs burn airtime and multiply your policy surface. - Set sensible minimum data rates
Raising minimum rates (e.g., to 12–24 Mbps) pushes devices off marginal cells and reduces the time a client can sit on the edge of your network at very low rates. - Cap transmit power
Many small, intentional cells beat a few loud ones. Over-powered APs spill through walls and floors, making it easier for someone to sit outside and stay associated. - Prefer 5 GHz (and 6 GHz where available)
Use 2.4 GHz only for genuine legacy or IoT; it’s more crowded and easier to abuse from distance.
A well-engineered wireless LAN that covers the building properly gives you far fewer excuses to plug in “temporary” extenders and access points.
Step 4: Turn on the lights – monitoring and logging
You can’t defend what you can’t see. At minimum, ensure you can answer:
- Who is authenticating, from where, and using which method?
- How many failures are you seeing – and why (wrong credentials, cert issues, RADIUS timeouts)?
- Are there unusual spikes in association attempts from outside office hours or unusual locations?
- Are DHCP scopes, DNS, and RADIUS ever becoming bottlenecks?
Pull together telemetry from:
- Wireless controller / cloud dashboard (client auth failures, rogue AP detections, airtime utilisation).
- RADIUS server (success/fail, latency).
- Firewall (unusual east-west traffic, IoT devices calling unknown destinations).
- DHCP/DNS servers (scope exhaustion, query latency).
Set actionable alerts – not just “AP down”, but for things like:
- Repeated failed logins on the corporate SSID.
- Unauthorised AP detected in a given area.
- DHCP scope <10% free on any wireless VLAN.
Step 5: Have a simple, written response plan
Security isn’t just prevention; it’s about response when (not if) something odd happens. Your run-book doesn’t need to be complicated:
- Identify the SSID/VLAN/device class involved (corporate vs AV vs guest).
- Contain quickly:
- Disable an SSID, or
- Quarantine a device’s VLAN, or
- Block a MAC or user in RADIUS / NAC.
- Disable an SSID, or
- Check for blast radius: logs for associated devices, lateral movement, unusual flows.
- Fix & harden: replace credentials/PSKs, adjust ACLs, patch devices, or tighten certificate policies.
- Document what happened and what you changed.
The goal is to make doing the right thing faster than a panicked guess.
Step 6: Implement change in phases, not big-bang
You don’t have to rebuild everything overnight. A low-risk sequence might look like:
- Phase 1 – Introduce a new staff SSID using 802.1X/certificates and migrate users team-by-team.
- Phase 2 – Move AV/IoT onto their own SSID/VLAN with per-device PSKs; lock down ACLs.
- Phase 3 – Clean up legacy SSIDs; remove old PSK networks; tidy RF (power, channels, minimum data rates).
- Phase 4 – Enable richer monitoring and tune alerts; rehearse your response playbook.
If you’d rather have a specialist lead the redesign – RF planning, segmentation, authentication, and validation – you can lean on secure business Wi-Fi engineering in London as a reference point for how a fully managed survey, design and installation project should run end-to-end.
The payoff
Tightening Wi-Fi security isn’t about making life harder for staff; it’s about moving from “everyone shares a password” to predictable, auditable access that fits how modern offices work. When authentication is identity-based, devices are segmented, RF is tidy and monitoring is real, attackers lose most of the shortcuts they rely on.
You’ll know who’s on your network, what they can reach, and how to kick them out cleanly if you have to – without bringing the business to a halt.
