Working From Home? Your Router Could Be Your Biggest Security Risk

It is 9am and you are logged into your practice management system from home. Client files, billing records, appointment notes - all flowing through the same Wi-Fi router you set up three years ago and have not touched since. That router still has the password printed on a sticker on its base. Your neighbour probably knows it.

Remote and hybrid working has become normal for many Canterbury professional services businesses. What has not kept pace is the security of the home networks staff are using to access sensitive client data. A study following the shift to remote work found that roughly half of businesses experienced a cybersecurity incident within two months of staff working from home. Home networks simply were not built with business data in mind, and that gap is being exploited.

The problem is not that home networks are impossible to secure. It is that nobody tends to them. Routers ship with default passwords that are widely known. Firmware - the software that keeps the device running securely - goes unupdated for years. Services that should be switched off remain on. Encryption settings default to older, weaker standards. Any one of these is a door left open. Together, they make accessing a home network straightforward for someone who knows what to look for.

A properly secured home network looks different. The router has a unique password - not the one on the sticker. It runs the latest firmware, which patches the security flaws manufacturers quietly fix over time. Encryption is set to the strongest available standard. A separate guest network exists for anyone visiting, keeping them away from the main connection your work devices use. The firewall is active. Services that nobody uses have been switched off. None of this is visible day to day - you just work, and the network does its job quietly in the background.

For anyone handling client data under the NZ Privacy Act 2020, this matters beyond convenience. A breach that originates from an unsecured home network is still a breach. The data involved still belongs to real people. The reporting obligations to the Office of the Privacy Commissioner still apply. "It happened at home" is not a defence that protects a business or its clients.

If your team is working remotely - even occasionally - it is worth treating their home networks as part of your security perimeter. That means having someone who knows what they are doing run through the settings, not relying on staff to figure it out themselves. Most people only ever open the router app during setup and never return to it. A one-time review by someone who knows what to look for can close off the most common vulnerabilities quickly. For businesses where remote access to sensitive systems is routine, pairing this with a broader look at your cyber security posture is worth the time.

If you are unsure whether your team's home setups meet a reasonable standard, ITstuffed offers a 15-minute IT Fit Check to help you work out where the gaps are. Book one here.