Wireless Security and Cyber Essentials: What the Assessment Covers

‍​‌​​‌‌​​​‌​‌​‌​​​‌​‌​​​‌‌​​​​​‌​​​​‌‌​‌‌​‌​‌‌​​‌​‌‌​‌​‌​​‌‌‌​‌‌‌‍The wireless question that comes up most often in assessments is not about encryption or passwords. It is about guest networks. Specifically, whether the guest network is actually isolated from the corporate network, or whether it just has a different name and the same network access. I would estimate that one in four small businesses I assess have a guest Wi-Fi that is not genuinely separated from the corporate environment. The SSID says "Guest" but every device on it can see the file server.

Honestly, that problem is usually not malicious or deliberate. It is the result of someone setting up the access point in a hurry, creating a guest SSID, and never configuring the VLAN or firewall rules to isolate it. The defaults on many consumer and small business access points do not enforce isolation, and nobody tests whether a device on the guest network can reach internal resources.

What CE actually requires for wireless

The requirements sit under the Secure Configuration and Firewalls controls, not in a dedicated wireless section. Your wireless network is part of your network infrastructure, so the same rules apply.

The encryption must be WPA2 or WPA3 to pass. WEP is long dead and will fail the assessment immediately. WPA with TKIP is also out of compliance. If your access point is still offering WPA-TKIP as an option and devices are connecting with it, that is a failure. Most modern access points default to WPA2-AES, but I still find older kit in meeting rooms and warehouses running outdated configurations because nobody has logged into the management interface since 2021.

The pre-shared key needs to be strong enough to resist brute-force. CE does not specify a minimum length for Wi-Fi passwords the way it does for user account passwords, but the underlying principle is the same. A weak Wi-Fi password that someone could guess or brute-force in minutes defeats the purpose of encryption. I recommend at least 20 characters for any Wi-Fi password. The password is entered once per device and remembered, so length is not an inconvenience.

The default admin credentials on the access point must be changed. This falls under the Secure Configuration control in the assessment. Every access point ships with a default admin username and password. If you have not changed them, anyone who can reach the management interface can reconfigure your wireless network. I check this during CE Plus by browsing to the access point's management IP and testing the default credentials.

The guest network problem in detail

Guest Wi-Fi is not a CE requirement, and you do not need to provide one. But if you have one, and it is not isolated, you have accidentally expanded your scope to include every laptop, phone, and tablet that any visitor connects to your network.

Proper guest isolation means a separate VLAN with firewall rules that block all traffic between the guest segment and the corporate network. Guest devices should reach the internet and nothing else. No access to file shares, printers, servers, or management interfaces.

I test this during CE Plus assessments by connecting to the guest network and attempting to reach internal resources. A quick ping sweep or port scan of the corporate subnet tells me within seconds whether the isolation is real. It is remarkable how often it is not.

The fix is usually straightforward to implement. If your access point supports VLANs (most business-grade kit does), create a VLAN for guest traffic, assign the guest SSID to it, and configure your firewall to deny traffic between the guest VLAN and everything else. If your access point does not support VLANs, it is consumer hardware and should probably be replaced with something appropriate for a business environment.

WPA2-Enterprise versus WPA2-Personal

WPA2-Personal uses a single pre-shared key for everyone. Everyone who connects knows the same password. If someone leaves the company, you should change the password. In practice, most small businesses never change their Wi-Fi password after initial setup, which means every former employee still knows it.

WPA2-Enterprise authenticates each user individually, usually against Active Directory or another identity provider through a RADIUS server. When someone leaves, you disable their account and they lose Wi-Fi access immediately. There are no shared passwords to rotate.

CE does not require WPA2-Enterprise for the assessment. WPA2-Personal with a strong pre-shared key passes the assessment. But Enterprise is materially better security, and if you are running a Windows domain with more than about 20 users, the configuration effort is modest. A Network Policy Server role on Windows Server, a certificate for the RADIUS service, and a group policy to push the wireless profile to clients. It takes an afternoon to set up and eliminates the shared password problem permanently.

I bring this up during assessments as a recommendation, not a requirement. The organisations that implement it are always glad they did. The ones that do not usually cite the complexity, which is fair. It is more complex than a shared password. But it solves a real problem that shared passwords cannot address.

Physical access points and rogue devices

CE does not require wireless intrusion detection or rogue access point scanning. These are enterprise security measures that are outside the scope of the certification. (consistent with the 2025 attestation evaluation criteria).

What CE does care about is whether your access points are securely configured. The admin password is changed and the firmware is current. The encryption is set to WPA2 or better. The management interface is not accessible from the guest network or the internet.

Firmware updates on access points are a common finding. People update their laptops and servers but forget about the access point sitting on the ceiling tile. It runs the same firmware it shipped with, which might have known vulnerabilities. Access points are network infrastructure and need to be patched within the same 14-day window as everything else in scope.

I have walked into offices where a USB-powered travel router was plugged into an ethernet port under someone's desk because the Wi-Fi signal was weak in their corner. That device is now a rogue access point on your network, broadcasting an open SSID with no encryption. The employee thought they were solving a convenience problem. They created an unauthenticated entry point to the corporate network.

Hidden SSIDs and MAC filtering

Two security measures that people think matter and do not.

Hiding your SSID prevents the network name from appearing in the list of available networks on a user's device. It does not prevent anyone with a wireless analyser from seeing the network. The access point still broadcasts beacon frames, and any tool can identify the hidden SSID within seconds. Hiding the SSID makes your network slightly less convenient for legitimate users and does nothing against anyone with basic technical knowledge.

MAC filtering restricts connections to a list of approved device MAC addresses. The problem is that MAC addresses are broadcast in the clear and can be cloned in about ten seconds. An attacker sniffs a legitimate MAC address from a connected device and spoofs it on their own hardware. MAC filtering is bypassed before you have finished your coffee.

Neither of these is a CE requirement, and neither provides meaningful security. I mention them because clients sometimes point to hidden SSIDs or MAC filtering as evidence of wireless security during assessments. They are not evidence of anything except a misunderstanding of how wireless networks work.

What catches people out

The most common wireless failure I see during CE Plus is not encryption or password strength. It is the access point admin password. The device is running WPA2 with a 20-character pre-shared key, the firmware is current, and the guest network is isolated. Then I browse to 192.168.1.1 and log in with admin/admin. Everything else was configured correctly, but the default credential is a failure under Secure Configuration.

The second most common is forgotten access points. The business upgraded their wireless kit two years ago and left the old access point powered on in a cupboard. It is still broadcasting, still using the old password, and still connected to the corporate network. Nobody remembered it existed until I asked about it.

Third on the list is outdated firmware. Business access points from major manufacturers receive firmware updates for years. But unlike Windows Update, these do not install automatically. Someone has to log into the management interface, download the update, and apply it. If nobody has done that since installation, the device is running firmware with known vulnerabilities, and that is a CE finding.

Getting your wireless right for the assessment

Check every access point, not just the main one but also the one in the warehouse, the one in the meeting room, and the one the previous IT person installed that everyone forgot about. Log into each management interface and verify: admin password changed, WPA2 or WPA3, firmware current, guest isolation configured if a guest SSID exists.

Document your wireless setup before the assessment starts. Which SSIDs are broadcast, which VLANs they map to, what the firewall rules between segments are. This is evidence that the assessor can review without having to test every device individually.

If you have a guest network, test the isolation yourself. Connect to it with a phone, try to browse to the management interface of your switch or access point, try to access a file share. If you can reach anything on the corporate network from the guest SSID, the isolation is not working.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote.

---

Related articles

• Network Segmentation for Cyber Essentials
• Windows Firewall Configuration for CE
• Cyber Essentials: The Five Controls Explained
• Penetration Testing: What UK Businesses Need to Know

netsec-canary-e26961126ee5.