The Inherent Risk of Guest Wi-Fi Access at Your Church
Unprotected guest networks can become a serious liability for churches if illegal or suspicious content is viewed or downloaded. After all, the church’s name is on the Internet service provider bill that comes every month. Policy enforcement is necessary. Churches must ensure compliance with a lengthy list of laws and regulations, including new U.S. privacy laws, the EU’s General Data Protection Regulation (GDPR), health and financial information confidentiality regulations, and the Child Internet Protection Act.
In addition, the right cybersecurity controls are extremely important when providing complimentary Wi-Fi service to employees or guests. Otherwise, that one networking asset can become a backdoor into your network for others. With the Internet of Things (IoT) in every workplace, and 24/7 online, enterprise, and small- and medium-sized business cloud data applications, Wi-Fi security needs to be one of the most essential network tasks, with continual monitoring.
Safeguards for a Church Guest Wi-Fi Network
There are two essential aspects to consider with guest Wi-Fi: content management and controlled access. We recommend these best practices:
- Invest in an enterprise wireless router to protect your data. Many features in these routers are crucial to maintaining adequate security.
- Use a separate router for guest Wi-Fi access. Keep guest access separate from your church’s main network at all times.
- Isolate IoT devices, such as thermostats, security cameras, and smart TVs, from your main network.
- Configure the guest Wi-Fi to be on a completely different subnet (segregated) and use WPA2, a security protocol that uses encryption to secure networks.
- Create users that have a basic timer schedule. If a guest needs Wi-Fi, give them access as a user with an appropriate time allowance. Configure guests using pre-configured provisioning templates that come with the router.
- Specify bandwidth limitations and policies by individual user or group. Give as little bandwidth as possible per user account. Just enough for email is typically adequate.
- If you have a large number of guests who need wireless access, create a user login portal. Most routers offer this along with pre-defined templates. Before they can access the Internet, users will need to login on this web page using a one-time password you provide.
This will give your church more control over who is on the network and the activity taking place. You also can configure your portal template to automatically generate logs for each session, which provides a much-needed audit trail for each user. These logs can be essential in incident response if a data breach is discovered.
- If you have a smaller number of guest Wi-Fi users, consider a guest access option that you can turn off when not in use. Some consumer routers include this option to make it easy to create guest networks. If you use this, be aware that some router models will automatically make a separate guest network with an open Wi-Fi.
- If you use Windows 10, turn off Wi-Fi Sense. This feature makes it all too easy to accidentally share a Wi-Fi password.
In addition, every church should filter all Internet traffic (wireless or not) to block file sharing and access to pornographic and suspicious websites.
If your church offers guest Wi-Fi, take the steps above to tighten your security. And if your church doesn’t need a guest network, do not create one. No one can hack into a network that doesn’t exist, and it will give you one less thing to worry about.
This article first appeared on XPastor.org.
Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.