HomeGuidesIdentity & Access › IS-08
IS-08 Identity & Access 8% of OML score

Is company Wi-Fi secured with a strong password and modern encryption (not open or weak)?

Is your office Wi-Fi protected with a strong password that is hard to guess, and is it using modern security technology (encryption) so outsiders cannot easily connect and see your data? If your Wi-Fi is open or uses an old, weak password, anyone nearby can join your network and steal information without you knowing.

Why This Matters to Your Business

When Wi-Fi is unprotected or poorly secured, any person sitting outside your office can connect to your network, intercept emails, steal customer data, or plant malware on your computers. A manufacturing unit in Pune lost ₹15 lakhs when an attacker using the open guest Wi-Fi accessed their accounting system and diverted payments. Weak Wi-Fi also violates the DPDP Act requirements for protecting personal data, which can result in regulatory fines and loss of customer trust. Banks and large customers conducting due diligence will fail you on security audits if your Wi-Fi is not properly secured.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk into the office and see a Wi-Fi network name (SSID) visible on any smartphone with no password required to connect, or with a default password like 'admin' or '12345'. Anyone in the parking lot or street outside can join your network freely.

Level 1
Initial

Your Wi-Fi has a simple password like 'office2024' or your company name that is written on a board near reception or shared casually with visitors. The router is using older security like WEP or basic WPA without strong encryption.

Level 2
Developing

Your Wi-Fi has a reasonably strong password (8+ characters with letters and numbers) that is known only to staff and documented in a locked notebook. The router is using WPA2 encryption, but the password has not been changed since installation.

Level 3
Defined

Your Wi-Fi uses WPA3 or strong WPA2 encryption with a complex password (12+ characters, mixed case, numbers, symbols) that is documented securely. The password is changed every 90 days and only IT staff know the current password; guests use a separate guest network.

Level 4
Managed

You have a primary secure Wi-Fi network with WPA3 encryption and a separately managed guest network with bandwidth limits. All connected devices are logged, Wi-Fi activity is monitored for suspicious behavior, and the password is rotated quarterly with enforcement.

Level 5
Optimised

Your Wi-Fi infrastructure includes multi-factor authentication for sensitive systems, automatic encryption key rotation, continuous monitoring for rogue access points, and security testing done quarterly by an external vendor. Network segmentation isolates guest and employee traffic, and all Wi-Fi access is audited and reported to management monthly.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Set a basic but non-default password on your router (minimum 8 characters) and ensure WPA2 encryption is enabled in router settings. Hide the SSID broadcast if possible so the network is not visible by default. IT person or someone who can access the router (usually via 192.168.1.1 in browser) 2-4 hours
1 → 2 Create a strong password policy (at least 10 characters with uppercase, lowercase, numbers) and update the Wi-Fi password to meet this standard. Document the new password in a locked file and set it to change every 90 days. Verify in router settings that WPA2 or WPA3 is the only encryption method enabled. IT person or admin 1 day
2 → 3 Upgrade router firmware to the latest version to enable WPA3 if available. Set up a separate guest Wi-Fi network with a different strong password and lower bandwidth limits. Restrict access to router admin interface with a different strong password. Create written Wi-Fi security policy and share with all staff. IT person, possibly with external IT consultant support 3-5 days
3 → 4 Implement Wi-Fi monitoring tools to log connected devices and detect unusual access patterns. Set up automated password rotation every 90 days. Create a process to audit who has access to Wi-Fi credentials. Perform a quarterly security scan to check for rogue access points or weak settings. IT person with possible help from cybersecurity consultant 2-4 weeks
4 → 5 Implement certificate-based authentication for critical users, integrate with your identity management system if you have one, and conduct annual penetration testing of Wi-Fi security by an external certified professional. Establish a security incident response plan specific to Wi-Fi breaches. IT manager or Chief Information Security Officer with external vendor support Ongoing (monthly review and quarterly testing)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Router configuration screenshot showing WPA2/WPA3 encryption enabled and SSID hiding turned on
  • Wi-Fi password policy document (written rule for password complexity, length, and change frequency)
  • Change log showing dates when Wi-Fi password was updated (at least showing last 3 changes with dates)
  • List of staff members who know the Wi-Fi password and date when access was granted to each person
  • Guest Wi-Fi network configuration details (separate SSID, strong password, bandwidth limits if level 4+), and visitor Wi-Fi access log
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "What is your Wi-Fi encryption standard and when was it last updated? Can you show me the router configuration screen?"
  • "How often is your Wi-Fi password changed and by whom? Show me the change log."
  • "Who in your organization knows the Wi-Fi password? How do you manage access to this password?"
  • "Do you have a guest Wi-Fi network separate from the employee network, and if so, what are its access controls?"
  • "Have you tested your Wi-Fi for security vulnerabilities or rogue access points in the last 12 months? If yes, show me the test report."
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Check Wi-Fi security settings and view what encryption your router is using WiFi Analyzer (Android app by Farproc) or Wifi Inspector (free web tool)
Scan Wi-Fi network for connected devices, unauthorized access points, or security weaknesses Wireshark (free packet analyzer) or Aircrack-ng (free Wi-Fi auditing tool) - requires technical knowledge Nessus Essentials (free for home use, ₹40,000–70,000/year for commercial) or Fortinet FortiGate (₹1,20,000–3,00,000/year depending on model)
Manage and document Wi-Fi passwords securely so they are not written on paper or shared via chat Bitwarden (free password manager) or KeePass (free local password vault) 1Password (₹6,000–8,000/year) or Dashlane (₹9,000–12,000/year)
Monitor Wi-Fi activity, log connected devices, and alert on suspicious connections GlassWire (free version with basic logging) for Windows Ubiquiti UniFi (₹30,000–80,000 one-time for controller + ₹15,000–40,000/year for managed access points) or Cisco Meraki (₹50,000–2,00,000/year depending on deployment)
Test your Wi-Fi password strength and encryption quality periodically Metasploit (free penetration testing framework) or local IT testing with Aircrack-ng Offensive Security OSCP training (₹1,50,000–2,00,000 one-time) or hiring external penetration tester (₹30,000–1,50,000 per assessment)
🛡
How This Makes You More Resilient
When your Wi-Fi is properly secured with strong encryption and a complex password, attackers cannot casually connect to your network from outside the building or intercept data flowing through it, which dramatically reduces the risk of data theft, ransomware infection, or unauthorized access to your business systems. This control acts as a first line of defense and makes it much harder for criminals to target your business compared to competitors who have open or weak Wi-Fi. If a breach does occur despite this control, you can demonstrate to customers and regulators that you took reasonable security steps, which protects your reputation and reduces legal liability.
⚠️
Common Pitfalls in India
  • Writing the Wi-Fi password on a sticky note on the router or reception desk where clients and visitors can see it, defeating the security purpose entirely.
  • Using the router's default password (like 'admin/admin') and never changing it, making it trivial for someone with basic knowledge to take over your entire network.
  • Sharing the same Wi-Fi password with vendors, contractors, and cleaning staff permanently, then forgetting to change it when they leave, meaning former employees still have access.
  • Setting up a Wi-Fi network but never updating the router firmware, leaving known security vulnerabilities unpatched for years.
  • Installing a strong Wi-Fi password but leaving the guest network open or setting it to the same password, allowing visitors to access your systems or bandwidth.
  • Assuming Wi-Fi security is the IT vendor's responsibility and never checking whether it is actually configured, then discovering during an audit that encryption was never properly enabled.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Security of personal data) - organizations must implement reasonable security practices to protect personal data, which includes Wi-Fi encryption
CERT-In 2022 Direction on securing network infrastructure (implied in 'Handling of Cyber Security Incidents' guidelines for organizations)
ISO 27001:2022 Annex A.4.3 (Access control), A.5.15 (Encryption), A.5.16 (Physical and logical access) - specifically covering network access controls and encryption
NIST CSF 2.0 Govern (Organizational context for asset management), Protect (Access Control - PR.AC-1 and Protective Technology - PR.PT-2)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →