Practical Office Network Hygiene: Guest Wi-Fi, Admin vs User Accounts, and Simple Segmentation.

A visitor to a Sligo professional services firm connected to the office Wi-Fi with their laptop. The laptop was infected with malware. Because the visitor network was the same network as the business systems, the malware spread to a file server within the hour. The firm had professional cybersecurity controls in place. They had never thought about their guest Wi-Fi.

Network hygiene is the unglamorous foundation of practical security. It is not exciting. It does not require sophisticated tools. It prevents the opportunistic attacks that spread through neglected configurations, and it limits the damage when something does get through.

What Is Office Network Hygiene?

Office network hygiene is the practice of maintaining a clean, well-configured, and appropriately segmented network — ensuring that different types of traffic and different types of users are appropriately separated, and that administrative access is limited to those who genuinely require it.

Three controls cover the majority of what most Irish SMEs need: a separate guest Wi-Fi network, appropriate separation of admin and user accounts, and basic network segmentation that isolates critical systems.

Guest Wi-Fi: The Most Commonly Missed Control

Every Irish SME that has visitors, clients, contractors, or delivery people in its premises should have a separate guest Wi-Fi network. This is a network that provides internet access but no access to internal systems, shared drives, printers connected to business servers, or any other internal resource.

Most modern routers and Wi-Fi access points support a guest network configuration. The setup takes 15 minutes. The alternative — giving visitors the same Wi-Fi password as your staff, which connects them to your internal network — means that any malware on a visitor's device has direct access to your business systems.

The guest Wi-Fi password should also change regularly. A password given to a client in 2022, written on a Post-it in your reception, and shared across your industry networking group is not a useful security control. Change it quarterly, or use a portal that generates time-limited access codes for visitors.

What network does a visitor connect to when they use your office Wi-Fi? If the answer is the same network as your staff, that is your first fix. Book a free 20-minute strategy call — network configuration reviews are a standard part of our SME security assessments.

Admin vs User Accounts: The Principle of Least Privilege

Every device in your business should have two types of account: an administrator account with full privileges, used only for system management tasks, and a standard user account with limited privileges, used for day-to-day work.

Most Irish SMEs have their staff working as administrators on their own devices. This is the default on Windows when a business IT setup has been done quickly without attention to this specific configuration. The consequence is that malware executing on an administrator's session has the same access that the administrator has — which is full access to install software, modify system settings, and access all files.

The same principle applies to software and services: staff should have access to the systems and data they need for their specific role, and no more. Your receptionist does not need access to your financial records. Your sales team does not need access to your HR system. Your IT provider's support account should not have permanent administrator access to every system — only elevated access for specific tasks, granted on request.

Simple Network Segmentation

Network segmentation means putting different systems on different network segments so that a compromise of one segment does not automatically give access to everything else.

For most Irish SMEs, the practical starting point is separating three things: your operational business systems (file servers, accounting software, internal tools), your guest and visitor network, and your IoT and building management systems (CCTV, printers, smart thermostats, access control panels).

IoT devices are a frequently overlooked attack surface. A networked printer, a CCTV system, or a smart building device typically runs firmware that is rarely updated, often has default passwords that have never been changed, and sits on the same network as your business-critical systems. Putting IoT devices on a separate VLAN — a relatively straightforward configuration on most business routers — means a compromised printer cannot be used as a stepping stone to your file server.

Why This Matters Right Now

Network hygiene gaps are consistently identified in Irish SME security assessments as among the most impactful and least addressed vulnerabilities. They are also among the easiest and cheapest to fix. A separate guest VLAN, standard user accounts for day-to-day work, and IoT isolation can typically be implemented in a half-day by a competent IT provider.

The consequence of not addressing these is not theoretical. Attackers who gain access to a poorly segmented network — whether through a phishing email, a compromised visitor device, or a vulnerable IoT device — find a flat network where everything is accessible from everywhere. A properly segmented network limits the blast radius of any compromise and buys time for detection and response.

What Next

1. Confirm your guest Wi-Fi is on a separate network. Log into your router management interface or ask your IT provider to confirm. If your guest and staff networks are the same, this is the first fix.

2. Audit admin accounts on staff devices. Ask your IT provider whether staff are running as standard users or administrators on their day-to-day work accounts. If they are administrators, plan the transition to standard user accounts.

3. Identify IoT devices on your network. Ask your IT provider to run a network scan and identify all connected devices. Any IoT devices on your main business network should be migrated to a separate VLAN.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Access Control and Least Privilege: Who Really Needs Admin Rights?
• Privileged Access Management for Irish SMEs: Why Not Everyone Needs Admin Rights
• The Minimum Security Baseline Every Irish Small Business Should Have in 2026

[^1]: NCSC Ireland — Network Security Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.