1. Secure the router and firewall
- Change the default admin password immediately; use a strong, unique one.
- Disable remote administration from the internet unless you truly need it.
- Keep firmware updated — routers are a common, overlooked entry point.
- Turn off UPnP if not required, and close ports you are not using.
2. Lock down Wi-Fi
- Use WPA3 (or WPA2 at minimum) with a strong passphrase.
- Run a separate guest network for visitors and personal phones — keep it off your business LAN.
- Disable WPS, which can be brute-forced.
3. Segment your network
Put things that don't need to talk to each other on separate VLANs or networks: staff computers, guest Wi-Fi, payment/POS systems, and IoT devices (cameras, printers, smart TVs). If one segment is compromised, the damage stays contained.
4. Control remote access
- Never expose RDP directly to the internet — put it behind a VPN.
- Require MFA on the VPN and on any remote-access tool.
- Remove remote-access software you no longer use.
5. Patch everything on a schedule
Operating systems, applications, routers, firewalls, printers, and cameras all get vulnerabilities. Enable automatic updates where possible and keep a simple list of devices that need manual patching.
6. Reduce your attack surface
- Disable unused services and accounts.
- Change all default device credentials (especially cameras and printers).
- Apply least privilege — users and devices get only the access they need.
7. Back up and monitor
Keep tested backups with at least one copy offline. Enable logging on the firewall and key systems, and review alerts for unusual traffic or logins.
Highest-impact first: change default device passwords, put a guest Wi-Fi network in place, and get RDP off the public internet behind a VPN with MFA. Those three close the doors attackers scan for constantly.
Want to know what's exposed?
An internal network audit or vulnerability assessment maps what's actually reachable on your network and ranks the fixes by real risk.