In this article, we discuss what guest networks are, their benefits, and security risks from a business perspective. Finally, we examine how they can simplify “scope” to ease the path to Cyber Essentials, an inexpensive government (NCSC) certification scheme to improve the digital security of SMEs.
Types of Guest Network?
In today's interconnected business landscape, the seamless integration of technology and connectivity has become essential for driving productivity, collaboration, and innovation. However, with the proliferation of digital assets and the evolving threat landscape, organizations face the daunting challenge of safeguarding their networks against an array of cyber threats while maintaining accessibility for employees, clients, and visitors.
A strategy that many businesses have used as a response is to implement a guest network. However, the term “guest network” is also used in a different context and is therefore much misunderstood!
The two types:
- Some businesses, particularly those in hospitality, create a guest network using a Wi-Fi router solely to provide Internet access for their customers. They achieve this by having a “kiosk” device (e.g. desktop computer) or a Wi-Fi connection to an Internet router that provides direct access to the Internet through the use of a “guest” username and password. The kiosk computer carries no business data, has no impact on their own information system, and does not compromise their security (but software security updates must be maintained).
- The other type of guest network is usually a resource service provided through the Internet via website, to what is effectively a segregated part of the organisation’s main network.
This article will refer to the segregated guest network. The “Wi-Fi for guests” arrangement is a different matter altogether.
Understanding Network Segmentation and “segregated” Guest Networks
Businesses encourage people to access at least some of their information system through the Internet, via their website. This practice started with e-commerce and was particularly popular during the covid outbreak when not even employees were allowed into business premises.
A conventional “guest” group could be created as part of logins to the main network, but login with reduced access. There will still be risks, however:
· There will still be bandwidth and internal degradation because excessive usage by guests can monopolize network resources, resulting in decreased performance for essential business operations and potential service disruptions.
· Weak passwords or outdated encryption protocols on unsegregated guest networks can leave these networks vulnerable and can expose sensitive data transmitted between devices to interception by cybercriminals, putting confidential information at risk of being compromised.
· The guest networks present an attractive target for social engineering attacks, where attackers exploit human psychology to manipulate individuals into divulging sensitive information or naively “assisting” with unauthorized access.
· Failure to properly secure guest networks can also result in legal and compliance risks for businesses. Inadequate protection of guest data may violate privacy regulations such as GDPR, leading to legal repercussions, fines, and damage to the organization's reputation.
· Guests may unknowingly introduce malware or other malicious software to the network through their devices, potentially infecting other connected devices and compromising business operations.
The flexible work-practice revolution further extended requirements for employees to access organisational resources through the internet. The perceived increased cybersecurity risk involved with “throwing their network open to the Internet”, caused organisations to develop the “segregated network” principle. Through network segmentation, access via the Internet could be either:
- Guest Network: casual users, home workers and workers “in the field” logged into the guest network through a company website link using “https” (secure Internet protocol)
- Main network: employees in a secure location (like “home”) access the secure network, via a strong password and VPN (virtual private network)
The guest network was arranged so users didn’t have access to sensitive or personal data, and access couldn’t be elevated by hackers. Such a network is therefore “out of scope” from a security point of view and would not be subjected to external attack like the rest of the organisation’s connected infrastructure.
Benefits of Segregated Networks for Businesses
· The main driving force behind a creating a separate guest network is enhanced security. By segregating guest traffic from internal operations, the business mitigates the risk of unauthorized access to sensitive data or systems by simply not allowing it! There can be no privacy or security breaches, if the internal operations containing sensitive data are not available to those who log on as guests.
· One useful additional factor is that having separate users on a separate network takes load away from the main network. As a business grows, the demand for access to its digital resources also increases. A guest network will allow the business to accommodate a larger number of visitors without compromising network performance or security.
· A further benefit of the segregated guest network is that it can be labelled “out of scope”, in terms of cybersecurity protection and legislative requirements, because it is effectively “read only” and carries no personal or sensitive data.
Security Risks with incorrectly implemented Guest Networks
Segregated guest networks are implemented (in part at least) to solve security problems on the main network, so security shouldn’t be an issue. However, implementation still requires common sense! Inadequate safeguards in the roll out of any network will inevitably create security and privacy problems.
If the guest network is created as a properly segregated network (not – worst case scenario - to just create another group of users and call it “guests”) there should be no additional security risk to the main network (quite the opposite in fact!)
If proper segregation is not implemented (perhaps to keep expense to a minimum?), then the benefits of a guest network will not be achieved in practice. Without physical separation from the main network, “guest” users can still have the capability to elevate their access and become privy to sensitive resources. That, of course, defeats both the main benefits of having a guest network in the first place! Why take the risk?
Guest Networks and Cyber Essentials
Working towards and achieving a Cyber Essentials certification is good for any business. However, it may prompt them to revise their network infrastructure to meet the requirements of all the listed security controls.
Depending on their circumstances, the business may be advised to set up a segregated guest network, as part of that preparation. That network can then be declared “out of scope”, and not subject to the rigour of Cyber Essentials assessment.
Risk-based mitigation strategies complement Cyber Essentials and go beyond technical controls. For more details, see Appendix 1at the bottom of this article.
Conclusion
A comprehensive and proactive approach to cybersecurity is essential for safeguarding critical assets, maintaining business continuity, and protecting the trust and confidence of customers and stakeholders alike.
Incorporating segregated guest networks as outlined above can be seen as part of implementing a realistic and workable cybersecurity strategy aligned with the principles underpinning Cyber Essentials.
Achieving Cyber Essentials does require a number of technical controls to be correctly implemented, which may look daunting. Through correctly configuring a guest network to reduce the burden on their “in scope” infrastructure, the SMEs path to certification can be simplified.
Useful links
A Beginner’s Guide to Network Segregation | PECB
Cyber Essentials by IASME:
Appendix: Additional Risk Mitigation Strategies Beyond Cyber Essentials
Adhering to Cyber Essentials via obtaining and renewing certification provides a robust framework for enhancing cybersecurity.
However, businesses with the resources to do so can further strengthen their defences by implementing additional mitigation strategies tailored to their specific needs and risk profile. Here are some complementary approaches to bolster network security and mitigate risk, for those businesses who have already successfully achieved Cyber Essentials certification regardless of whether or not they have implemented a Guest Network:
1. Network Monitoring and Intrusion Detection: Deploy network monitoring tools and intrusion detection systems to continuously monitor network traffic and detect anomalous behaviour indicative of security threats. Real-time alerts and automated responses enable organizations to promptly respond to potential security incidents and mitigate risks before they escalate.
2. User Education and Awareness: Invest in comprehensive cybersecurity training programs to educate employees, contractors, and visitors about best practices for secure network usage. By raising awareness about common threats such as phishing attacks and malware infiltration, businesses empower individuals to recognize and mitigate security risks proactively.
3. Access Control Policies: Implement granular access control policies to restrict guest network access based on predefined criteria such as user roles, device types, and time-based restrictions. By enforcing least privilege principles, businesses minimize the attack surface and mitigate the risk of unauthorized access to sensitive resources.
4. Endpoint Security Solutions: Deploy robust endpoint security solutions, including antivirus software, endpoint detection and response (EDR) systems, and mobile device management (MDM) solutions, to protect guest devices from malware infections and unauthorized access attempts. Regularly update and patch endpoint systems to address known vulnerabilities and strengthen overall security posture.
5. Network Segmentation and Micro-Segmentation: Adopt network segmentation and micro-segmentation techniques to partition network infrastructure into smaller, isolated segments, each with its own security controls and access policies. By compartmentalizing network traffic and resources, businesses can contain the impact of security breaches and limit lateral movement by malicious actors.
6. Backup, Incident Response and Contingency Planning: Develop comprehensive incident response plans and contingency procedures to guide organizations in responding to security and other IT incidents effectively. Establish clear roles and responsibilities, conduct regular tabletop exercises, and maintain communication channels with relevant stakeholders to minimize the impact of security breaches and facilitate timely data and system recovery efforts.
7. Third-Party Risk Management: Assess and mitigate risks associated with third-party vendors, contractors, and service providers that may access the guest network. Implement stringent vendor management practices, conduct due diligence assessments, and establish contractual obligations regarding cybersecurity requirements to mitigate potential risks posed by third-party entities.
There are higher certifications available to cover these matters. IASME offer Cyber Assurance, and the International Standards Organisation offer ISO27001. The latter was originally designed for large organisations, however, is considered daunting by many SMEs. As with Cyber Essentials, though, the burden can be reduced by reducing the organisational scope to a subset that is deemed appropriate for assessment.
Comments