Your office Wi-Fi doesn't stop at the walls. The signal reaches into the hallway, the cafe downstairs, the tenancy next door and the car park — and it carries your accounting data, client records and email out with it. That's not a fault to fix; it's just how radio works. What matters is how well that signal is locked down before it leaves the building.

Here's the uncomfortable part: most Adelaide small and medium businesses secure their office Wi-Fi the same way they secure the internet at home — one password, shared by everyone, unchanged for years. It's quick to set up and it feels fine, right up until an ex-employee, a compromised laptop or a rogue hotspot turns it into a breach. Below are the three gaps that setup leaves open, and a practical way to close each one — none of which needs a bigger Business NBN plan to fix.

The short version: Three gaps account for most weak office Wi-Fi — everything on one flat network, one shared password nobody can revoke, and staff who'll auto-connect to anything. None of them need a bigger internet plan to fix; they need the right hardware set up properly and a few good habits. This article walks through each gap and the practical fix.

Gap 1: Everything shares one network

The most common mistake is mixing everything together. The smart TV in the boardroom, a visitor's personal iPhone, a staff member's laptop, the network printer and your accounting server are all authenticated on the same Wi-Fi with the same password — which means they can all "see" each other. If any one of those devices is compromised — a visitor's malware-infected phone, a smart TV with an unpatched firmware hole — it has a clear line of sight to everything else on the network, including your servers.

The fix is segmentation: use your hardware to split the wireless into separate virtual networks (VLANs) that can't see one another. For most offices, three is the right shape:

Network Who's on it What it can reach
Corporate Company-owned devices only, on a hidden network name (SSID), using WPA3 encryption. The only one with access to local drives, printers and servers.
Staff personal Staff phones and personal devices during breaks. Straight out to the internet — cannot see any internal business systems.
Guest Clients, contractors and visitors, via an isolated captive portal. Internet only, fully isolated — including from other guest devices.

Now a compromised personal phone or a dodgy visitor laptop is a contained problem, not a doorway into your accounting server. Segmentation is a standard feature of business-grade routers and access points — it's rarely a matter of buying more, just configuring what you already have (or should have) correctly.

Related reading: we cover the performance side of this — access points versus extenders, wired versus wireless, and keeping guest traffic off staff Wi-Fi — in Why your office Wi-Fi might be letting down a perfectly good NBN connection.

Gap 2: One password nobody can revoke

Here's the question that exposes the second gap: what happens when an employee leaves?

With a single shared password — technically a Pre-Shared Key, or PSK — the honest answer is "nothing, unless you act." That ex-employee can still connect from the car park until you change the password and then manually re-enter the new one on every laptop, phone and printer in the building. In practice, most businesses never get around to it, so the password an employee learned on their first day still works years after they've gone. The same password also tends to end up in personal phones, on that sticky note, and in a text message to a contractor.

The fix is per-user authentication: move from one building-wide password to WPA3-Enterprise (also called 802.1X). Instead of a shared key, each staff member signs in to the Wi-Fi with their own corporate credentials — typically their existing Microsoft 365 or Google Workspace login.

The payoff is immediate: when someone leaves, you disable their email account as you would anyway, and their Wi-Fi access vanishes across every device at the same instant. Nothing to re-key, no password to change across the office, and you get a per-person record of who connected rather than an anonymous shared login.

Gap 3: Staff who'll connect to anything

Attackers don't always go after the router. Often the easier target is the person holding the laptop. The classic technique is the "evil twin": the attacker stands up a rogue hotspot nearby with a name designed to look legitimate — the same name as your office network, or something like "Adelaide_Cafe_Free_WiFi". Any device set to auto-connect joins it without a second thought, and now the attacker sits in the middle of that traffic.

No amount of hardware fixes this one — it's about habits. Two rules cover most of the risk:

  • Turn off "auto-connect to open networks" on work laptops and phones. This single setting stops a device from silently joining a rogue hotspot the moment it walks into range.
  • Make the VPN the baseline off-site. When anyone works from a cafe, a client site or home, the corporate VPN goes on before they open email or a browser — not after. A VPN encrypts the traffic end to end, so even if they are on an evil twin, there's nothing useful to intercept.

These are five-minute conversations that pay for themselves the first time someone's tempted by free Wi-Fi on a site visit. If you'd like the underlying detail on why encryption matters the moment data leaves your building, see Securing business data in transit.

Where to start

You don't need to tackle all three at once. In rough order of effort-to-payoff:

  1. This week: brief the team on auto-connect and the off-site VPN rule (Gap 3). No hardware, no cost.
  2. This month: split guests and personal devices off the corporate network (Gap 1). If you already run a business-grade router, this is a configuration exercise.
  3. This quarter: plan a move to per-user Wi-Fi logins tied to Microsoft 365 or Google Workspace (Gap 2), ideally alongside a hardware or network review.
A quick self-check: if you can write your entire office Wi-Fi password on a sticky note, and it hasn't changed since the last person left — you have all three gaps. That's normal, and it's fixable.

Every one of these fixes runs on top of your internet connection, and the connection is the part Caznet actually owns. A stable, business-grade service is what your Wi-Fi, your per-user logins and your off-site VPN all depend on — whether that's Business NBN for a single office, business fibre for higher demand, or NBN Enterprise Ethernet for multi-site or data-heavy operations. If you'd like a sanity check on which of the three gaps to tackle first, our Adelaide team is always happy to point you in the right direction — call 1300 229 638.