Wireless Security and Cyber Essentials: What the Assessment Covers
Wireless Security and Cyber Essentials: What the Assessment Covers
The wireless question that comes up most often in assessments is not about encryption or passwords. It is about guest networks. Specifically, whether the guest network is actually isolated from the corporate network, or whether it just has a different name and the same network access. I would estimate that one in four small businesses I assess have a guest Wi-Fi that is not genuinely separated from the corporate environment. The SSID says "Guest" but every device on it can see the file server.
Honestly, that problem is usually not malicious or deliberate. It is the result of someone setting up the access point in a hurry, creating a guest SSID, and never configuring the VLAN or firewall rules to isolate it. The defaults on many consumer and small business access points do not enforce isolation, and nobody tests whether a device on the guest network can reach internal resources.
What CE actually requires for wireless
The requirements sit under the Secure Configuration and Firewalls controls, not in a dedicated wireless section. Your wireless network is part of your network infrastructure, so the same rules apply.
The encryption must be WPA2 or WPA3 to pass. WEP is long dead and will fail the assessment immediately. WPA with TKIP is also out of compliance. If your access point is still offering WPA-TKIP as an option and devices are connecting with it, that is a failure. Most modern access points default to WPA2-AES, but I still find older kit in meeting rooms and warehouses running outdated configurations because nobody has logged into the management interface since 2021.
The pre-shared key needs to be strong enough to resist brute-force. CE does not specify a minimum length for Wi-Fi passwords the way it does for user account passwords, but the underlying principle is the same. A weak Wi-Fi password that someone could guess or brute-force in minutes defeats the purpose of encryption. I recommend at least 20 characters for any Wi-Fi password. The password is entered once per device and remembered, so length is not an inconvenience.
The default admin credentials on the access point must be changed. This falls under the Secure Configuration control in the assessment. Every access point ships with a default admin username and password. If you have not changed them, anyone who can reach the management interface can reconfigure your wireless network. I check this during CE Plus by browsing to the access point's management IP and testing the default credentials.
The guest network problem in detail
Guest Wi-Fi is not a CE requirement, and you do not need to provide one. But if you have one, and it is not isolated, you have accidentally expanded your scope to include every laptop, phone, and tablet that any visitor connects to your network.
Proper guest isolation means a separate VLAN with firewall rules that block all traffic between the guest segment and the corporate network. Guest devices should reach the internet and nothing else. No access to file shares, printers, servers, or management interfaces.
I test this during CE Plus assessments by connecting to the guest network and attempting to reach internal resources. A quick ping sweep or port scan of the corporate subnet tells me within seconds whether the isolation is real. It is remarkable how often it is not.
The fix is usually straightforward to implement. If your access point supports VLANs (most business-grade kit does), create a VLAN for guest traffic, assign the guest SSID to it, and configure your firewall to deny traffic between the guest VLAN and everything else. If your access point does not support VLANs, it is consumer hardware and should probably be replaced with something appropriate for a business environment.
WPA2-Enterprise versus WPA2-Personal
WPA2-Personal uses a single pre-shared key for everyone. Everyone who connects knows the same password. If someone leaves the company, you should change the password. In practice, most small businesses never change their Wi-Fi password after initial setup, which means every former employee still knows it.
WPA2-Enterprise authenticates each user individually, usually against Active Directory or another identity provider through a RADIUS server. When someone leaves, you disable their account and they lose Wi-Fi access immediately. There are no shared passwords to rotate.
CE does not require WPA2-Enterprise for the assessment. WPA2-Personal with a strong pre-shared key passes the assessment. But Enterprise is materially better security, and if you are running a Windows domain with more than about 20 users, the configuration effort is modest. A Network Policy Server role on Windows Server, a certificate for the RADIUS service, and a group policy to push the wireless profile to clients. It takes an afternoon to set up and eliminates the shared password problem permanently.
I bring this up during assessments as a recommendation, not a requirement. The organisations that implement it are always glad they did. The ones that do not usually cite the complexity, which is fair. It is more complex than a shared password. But it solves a real problem that shared passwords cannot address.
Physical access points and rogue devices
CE does not require wireless intrusion detection or rogue access point scanning. These are enterprise security measures that are outside the scope of the certification. (consistent with the 2025 attestation evaluation criteria).
What CE does care about is whether your access points are securely configured. The admin password is changed and the firmware is current. The encryption is set to WPA2 or better. The management interface is not accessible from the guest network or the internet.
Firmware updates on access points are a common finding. People update their laptops and servers but forget about the access point sitting on the ceiling tile. It runs the same firmware it shipped with, which might have known vulnerabilities. Access points are network infrastructure and need to be patched within the same 14-day window as everything else in scope.
I have walked into offices where a USB-powered travel router was plugged into an ethernet port under someone's desk because the Wi-Fi signal was weak in their corner. That device is now a rogue access point on your network, broadcasting an open SSID with no encryption. The employee thought they were solving a convenience problem. They created an unauthenticated entry point to the corporate network.
Hidden SSIDs and MAC filtering
Two security measures that people think matter and do not.
Hiding your SSID prevents the network name from appearing in the list of available networks on a user's device. It does not prevent anyone with a wireless analyser from seeing the network. The access point still broadcasts beacon frames, and any tool can identify the hidden SSID within seconds. Hiding the SSID makes your network slightly less convenient for legitimate users and does nothing against anyone with basic technical knowledge.
MAC filtering restricts connections to a list of approved device MAC addresses. The problem is that MAC addresses are broadcast in the clear and can be cloned in about ten seconds. An attacker sniffs a legitimate MAC address from a connected device and spoofs it on their own hardware. MAC filtering is bypassed before you have finished your coffee.
Neither of these is a CE requirement, and neither provides meaningful security. I mention them because clients sometimes point to hidden SSIDs or MAC filtering as evidence of wireless security during assessments. They are not evidence of anything except a misunderstanding of how wireless networks work.
What catches people out
The most common wireless failure I see during CE Plus is not encryption or password strength. It is the access point admin password. The device is running WPA2 with a 20-character pre-shared key, the firmware is current, and the guest network is isolated. Then I browse to 192.168.1.1 and log in with admin/admin. Everything else was configured correctly, but the default credential is a failure under Secure Configuration.
The second most common is forgotten access points. The business upgraded their wireless kit two years ago and left the old access point powered on in a cupboard. It is still broadcasting, still using the old password, and still connected to the corporate network. Nobody remembered it existed until I asked about it.
Third on the list is outdated firmware. Business access points from major manufacturers receive firmware updates for years. But unlike Windows Update, these do not install automatically. Someone has to log into the management interface, download the update, and apply it. If nobody has done that since installation, the device is running firmware with known vulnerabilities, and that is a CE finding.
Getting your wireless right for the assessment
Check every access point, not just the main one but also the one in the warehouse, the one in the meeting room, and the one the previous IT person installed that everyone forgot about. Log into each management interface and verify: admin password changed, WPA2 or WPA3, firmware current, guest isolation configured if a guest SSID exists.
Document your wireless setup before the assessment starts. Which SSIDs are broadcast, which VLANs they map to, what the firewall rules between segments are. This is evidence that the assessor can review without having to test every device individually.
If you have a guest network, test the isolation yourself. Connect to it with a phone, try to browse to the management interface of your switch or access point, try to access a file share. If you can reach anything on the corporate network from the guest SSID, the isolation is not working.
Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote.
Related articles
- Network Segmentation for Cyber Essentials
- Windows Firewall Configuration for CE
- Cyber Essentials: The Five Controls Explained
- Penetration Testing: What UK Businesses Need to Know
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.