A visitor asks for the WiFi password at reception, connects their personal laptop, and within minutes is sitting on the exact same network segment as the finance server, the HR database and every internal file share. This happens more often than most business owners would guess, and it usually happens because nobody ever separated the guest network from the corporate one in the first place. Nobody planned it that way; it simply grew that way over time, one convenient shortcut at a time.
Convenience at setup, liability forever after
Setting up a single wireless network is simpler than setting up two, which is precisely why so many small and medium businesses end up doing exactly that. One SSID, one password, handed out to staff and visitors alike, with nobody giving much thought to what a device on that network can actually reach. It works fine right up until a visitor’s infected laptop, or a contractor’s compromised phone, connects and starts probing the same segment your accounting software lives on, at which point the convenience becomes a genuine liability.
Assessing this properly is a core part of thorough Wifi pen Testing, which tests not just whether the wireless encryption itself is sound, but what an authenticated device, guest or staff, can actually reach once connected. It is a remarkably common finding that a guest network exists in name only, sharing the same underlying VLAN as every internal system despite appearing separate on paper.

Segmentation is the fix, and it is not expensive
Properly separating guest and corporate wireless traffic is not a major infrastructure project. Most modern access points support multiple SSIDs mapped to different VLANs at effectively no additional hardware cost, meaning the barrier is rarely budget and almost always awareness. Once segmented correctly, a guest device can reach the internet and nothing else, while corporate devices retain access to internal resources through a separate, properly authenticated network, with a clean line drawn between the two that holds up under real scrutiny.
William Fieldhouse has walked into this exact scenario often enough to expect it.
“I sat in a client’s reception area, asked for the guest WiFi password, and from my laptop I could see their internal file server within about four minutes. There was no attack involved, no clever technique. It was one flat network wearing two different names. That is genuinely one of the easiest fixes in the report, and yet it keeps turning up.”
— William Fieldhouse, Director of Aardwolf Security Ltd
What makes this particular finding frustrating is how disproportionate the fix is to the risk it closes. Reconfiguring access points to properly separate traffic typically takes an afternoon, while the exposure it removes, an unmanaged external device sitting on the same segment as sensitive internal systems, is one of the more serious risks a business can carry unknowingly for months or years without incident, until the day it is not.
Separate the networks, then verify it actually worked
Do not assume a guest network label means genuine separation; confirm it with a device on the ground testing what it can actually reach. Pair your wireless review with broader internal network pen testing to check that segmentation holds up across your wired network as well, not just over WiFi. Contact Aardwolf Security to have your wireless environment properly tested before a visitor’s laptop becomes your next incident.



