Wi-Fi has become an expectation for most customers when dropping into a café or visiting a hotel. Many small businesses want their customers to be able to get connected, but how many know the ins and outs of providing Wi-Fi safely and securely? Paul Peters, Director of the Cyber Resilience Centre for Wales (WCRC) decided to have a sit down with Savva Pistolas from our student services programme, to chat about the state of public Wi-Fi, the requirements and design of any offering that would be required, and what can be done to ensure a safe and easy-going environment when offering Wi-Fi up to customers.
Paul: Do you use public Wi-Fi? We hear a lot about the risks of using public Wi-Fi, is this even a conversation we should be having?
Savva: It definitely is and I use public Wi-Fi all the time, almost every day in fact. In my last year of university you could always find me in a café with my laptop doing work alongside friends, and now I do a lot of work remotely so I can’t see that changing any time soon. Whilst I love a quiet coffee with no interruptions from the outside world, the provision of Wi-Fi from small businesses has enabled and supported the hybrid lifestyle that’s expected from students and workers now – as well as allowing people to just enjoy themselves on their devices when out and about. As we know this can be done relatively safely, the question then becomes not ‘should we be using public Wi-Fi?’ but ‘how can small businesses provide safe, secure, and simple wi-fi for its customers’?
Paul: I agree – and to be clear, the guidance we give at the WCRC is that it is generally safe to use public Wi-Fi if you put protections in place and behave cautiously. But when talking to businesses the question of what they should be keeping in mind when deciding to offer Wi-Fi to customers has come up on a number of occasions. Could you talk a little bit about that?
Savva: Well, I’d boil it down to this: separate, secure, simple. You always want to make sure that you’ve created different partitions of your network for public customer devices and private appliances. You don’t want your till, card reader or private business devices to be seen by customers and anybody who happens to be connected. If you’re a smaller business, you can contact your ISP about setting up a guest Wi-Fi network or creating a separate one that comes from the same router. This creates a separate location on the same Wi-Fi plan and keeps everything cleanly divided.
Paul: That’s sound advice, we do see a lot of SMEs using personal internet plans and consequently having the routers that come with those subscriptions. The shortcomings of then using these in a business environment need to be considered quite seriously.
Savva: Absolutely, and ideally you would set up a public access point that exists almost entirely separately to your private business network. In lieu of this the absolute minimum you should be doing is getting in touch with your internet provider and sorting out a healthy separation of which devices can access what.
Paul: There’s also something to be said for protecting customers when it comes to internet access, could you talk about that briefly?
Savva: Yes, you’re right. Without diving into the legal technicalities, getting to grip with the separation and management of your network also allows you to control what sort of content is available to customers who are using your Wi-Fi. This is important for a few reasons. Firstly, it allows you to stop customers from accessing inappropriate content, which could be important for such reasons as school children or vulnerable people who are probably protected on their own home Wi-Fi networks by parents or guardians. Secondly, it helps you control the atmosphere of your business by prohibiting access to adult content that could be offensive or violent. Sorting out your content safeguarding and blocking may help prevent a difficult situation further down the line.
Paul: What do you think about passwords?
Savva: Well, I’m sure you know what I’m going to say already here, but the WCRC really recommends using the National Cyber Security Centre’s ‘three random words’ method for passwords. They’re secure against dictionary attacks and can be quite memorable. Choose three random words and sprinkle in some numbers or special characters. It’s also going to be far easier to provide this password to your customers on a chalk board or sticker as router default passwords are really long and not very human-friendly.
Paul: It’s important to keep your public Wi-Fi accessible for all users and it’s by design that the three random words process creates something memorable and visible that stays secure against those who aren’t there to see the password.
Savva: Oh, and definitely don’t reuse your public Wi-Fi password for your private Wi-Fi password! Or any password for that matter.
Paul: Yes. It may seem more convenient but sharing passwords like that can lead to huge security problems. I’d quite like to talk about the risks around QRishing. Have you heard much about this?
Savva: Well, it might first be useful to briefly explain what QR is. QR codes are a fantastic way to share links and information – we really saw this explode over the eat-out-to-help out phase of the pandemic when we were trying to champion social distancing and phase out physical menus. A QR code is essentially a sophisticated barcode that can have quite a bit of information stored in it. You scan it with your phone and your phone follows the link. It can have people’s contact information, a website or digital business card, a restaurant menu or ordering screen. They’re really convenient but have enabled a type of attack we’ve called QRishing (Similar to phishing through email but using QR codes to initiate contact between a criminal and a potential victim).
Paul: Yes. The attack works by exploiting the generally unsupervised nature of these QR codes. QR codes are normally stickers on the tables you’d sit at, and if someone was so inclined, they could print out their own stickers with their own malicious links on them.
Savva: Exactly, then all that’s required is putting their sticker over the top of the existing stickers in the small business and waiting for people to scan it. They’ll often present a fake login screen for Facebook, or Twitter. The advice therefore is this - If you’re going to try out QR codes as a way of conveying Wi-Fi information – or even menus, then check them regularly and make sure they’re the codes you’ve put down!
Paul: Lovely stuff. Are there any other things you’d ask small businesses to keep an eye out for?
Savva: I’d ask people to keep an eye out for Wi-Fi networks within range of your business that are using the same name as you – a rogue access point attack involves a criminal spoofing your network and getting customers to join it – from here they can monitor the traffic going to and from their rogue access point and phish for the user’s credentials or passwords.
Paul: That’s really useful. It sounds like a lot but really is the bare minimum if you’re at all concerned with providing safe and secure Wi-Fi to your customers.
Savva: To sum up,
When creating public Wi-Fi for customers, the ideal scenario is creating a different network using business class hardware to create a secure network. If this can’t be achieved, then you should contact your internet service provider and ask how to create a guest network or a separate Wi-Fi network for customers to use.
Make sure you pick a good password that you haven’t used for anything else. This can be shared with customers, but we still suggest choosing three random words with special characters to make a memorable but secure password.
Beware of QRishing attacks if you use QR codes. Check your QR codes regularly and ensure they’re just for connecting to Wi-Fi. Keep an eye out for duplicate or fake Wi-Fi addresses that may be pretending to be your network in an attempt to get customers to join it.
Paul: Thank you for taking the time today, Savva
Savva: Thank you for having me, Paul.
To speak to a member of our team about how our services and membership packages please visit our contact us page on the website and someone will be in touch.