Simple router security for small businesses

If your small business is anything like mine, you won’t have the luxury of time to even think about messing around with your router, let alone have the time to do it. That’s a mistake. Hackers and scammers target small businesses for that very reason. None of us want to be a statistic so I encourage you to spend half an hour reading this guide and following the steps I outline.

The result will be a much more secure business network at no cost to you aside from a little time. You can take network security much further of course, but these small changes can elevate your security way above the norm and dissuade all but the most determined hacker from breaking into your network.

That alone makes this a valuable investment in time and effort.

Why you need to secure your router

As mentioned above, small businesses are now prime targets for hackers because they don’t have dedicated security specialists like enterprise does. They are more lucrative than home users too, which is another reason why they are targeted.

Small businesses are regarded as low hanging fruit as we are usually busy and lack the security skills to properly secure a router and the network.

Let’s change that.

Simple router security changes that take less than half an hour

By making some simple changes to how our small business router is configured, we can improve its security exponentially. You don’t need to buy new hardware. No need to buy new software or pay an expert to make these changes. Each is simple, easy to understand and can make your business much more secure.

A couple of points first.

You will be changing some configuration settings on your router so will need the login before you begin. The router login should either be on a card that came with the router or on a sticker on the side, bottom or rear of the router itself.

There should also be an IP address by the login details. Put that address into your browser to access your router configuration application. The address is usually https://192.168.1.1 or https://192.168.0.1.

Once you’re logged in you’re ready to go.

Finally, different router manufacturers have different naming conventions. Where I say check the WiFi page, your router may call it wireless, Wi-Fi or something else. That’s fine as long as the setting you’re changing is the same setting, even if it’s called something slightly different.

We are going to:

1. Update the router firmware.
2. Change the default router login and password.
3. Change the WiFi password.
4. Change the WiFi SSID.
5. Disable Guest Networks.
6. Check the WiFi encryption type.
7. Disable WiFi Protected Setup.
8. Disable remote access.
9. Verify the firewall is active.
10. Check your network for connected devices

It may look a lot but it won’t take long to achieve I promise!

One thing to remember when making changes is that you need to save them before they become active. The rule is to save changes every time you change a page in the router app. If you don’t, the router will forget them and you will have to repeat each step.

Some of these changes will happen on the same page within the router app. It is okay to make all the changes on the same page at once and save all at once afterwards.

Update the router firmware

Firmware is the equivalent of the operating system on your computer. We update the firmware first because the manufacturer may change some of the menu options or router features and we want to take advantage of those.

1. Open the Administration page on your router.
2. Look for the Update setting.
3. Enable automatic updates if you have the option.
4. Select Check For Updates if you don’t.

Allow the router to download and install any updates it finds. It will need a reboot once complete which will take around a minute.

Change the default router login and password

Did you know that around 82% of users don’t change the default router login? These defaults are well known to hackers and makes breaking into your network child’s play.

1. Open the Administration page on your router.
2. Change the username to something different.
3. Change the password to something different. Make it strong but memorable.
4. Save the changes.

Some routes will allow you to change the username and password while others will only allow you to change the password. Do what you can with what you have and make sure the password is as difficult to guess as possible while remaining memorable.

Change the WiFi password

The WiFi password is the one you have to add to a new device you want to connect to wireless. If you left this at default, now is a good time to change it.

1. Open the WiFi or Wireless page on your router.
2. Change the WiFi access password to something else.
3. Save the change.

Like your router password, make it as difficult to guess as possible while remaining memorable. If you currently have devices connected to WiFi, you will have to log them in again using this new password.

Change the WiFi SSID

The WiFi SSID, Service Set Identifier, is your wireless network name. If you leave this default, it identifies the router make, which is an advantage to a hacker. It can also identify you as a business if you have changed it.

1. Open the WiFi or Wireless page on your router.
2. Change the SSID to something else.
3. Save the change.

Don’t make your WiFi SSID identifiable. Don’t name it ‘Smith&SonsButchers’ or something that says who you are. Give it a random name that has no links to you or your business.

Disable Guest Networks

Guest networks can be useful for businesses who want to segment their network between public and private but most won’t use them. So let’s turn them off to give a hacker one less attack vector.

1. Open the WiFi or Wireless page on your router.
2. Find Guest Network and disable it.
3. Save the change.

Depending on your router, this will be a check box or toggle. You can always enable it again if you need it in the future.

Check the WiFi encryption type

While you’re on the WiFi page of your router, check what type of encryption it is using. There are a couple of types, WPA and WPA2. We want to use WPA2 as it is the current standard. WPA can be hacked in minutes so is quite useless.

Check your WiFi/Wireless page for mention of WPA or WPA2. Make sure WPA2 is selected. Change it to WPA2 if it isn’t.

If you have the option to choose between TKIP or AES, select AES. Both are relatively secure but AES is the current standard.

Disable WiFi Protected Setup

WiFi Protected Setup was designed to make it easy for guests to join a WiFi network by entering a PIN or pressing a button on the router. We want to disable PIN access as this is a security weakness.

1. Open the WiFi or Wireless page on your router.
2. Find WPS and disable.
3. Save the change.

Disable remote access

Remote access is another ‘helpful’ feature on many routers. It allows an IT support tech to connect from the outside to your router to help diagnose problems. The vast majority of users won’t need this. Leaving it enabled is also a security hole so let us close it.

1. Navigate to Administration or where you see the option for remote access.
2. Toggle it off or uncheck the box next to it.
3. Save the change.

You can always enable it if you require remote assistance in the future. Just reverse the change here. Remembering of course to disable it once you no longer need it.

Verify the firewall is active

Most newer routers and all business class routers should come with a hardware firewall. This plays an important part of defence in depth which is important in cyber security. We always want the firewall to be running on a router unless you have a dedicated firewall appliance.

1. Open the Network or Security page on your router.
2. Navigate to the Firewall section and make sure the firewall is enabled.

Check your network for connected devices

Our final check is a quick audit. We want to see who is connected to your small business network so we can remove anyone who shouldn’t be there. It is a simple process, so don’t worry!

1. Navigate to your Router’s network map or list of connected devices.
2. Check all connected devices to make sure they are authorised.

If you see devices you don’t recognise, we can kick them off the network. If someone complains they have no WiFi, you know who they are. If nobody complains, it may have been someone you don’t know.

There is a specific process for this. It is similar to changing the WiFi password but involved a couple of extra steps.

1. Open another tab on your browser and navigate to the WiFi or Wireless page.
2. Change the WiFi access password to something else.
3. Do not save the change yet.
4. Go back to the network map page.
5. Select the Kick or Remove from Network option but the device you don’t recognise.
6. Quickly switch back to the WiFi password page and select Save.

This process removes the unrecognised device from the network and changes the password quickly enough to make it extremely difficult for them to reconnect.

Arguably you don’t need to change the password again if you have just changed it so it’s up to you if you do that or not. I suggest doing it to make double sure but it is entirely up to you!

That’s all there is to securing your small business router. You could take it further by changing your router IP address, adding a hardware firewall or implementing a DMZ but that’s overkill for the average small business.

What we have done here won’t make your network impervious to hacking but it drastically reduces  the chances of it happening. You can get back to running your business now, your work here is done!