"The password’s on the board.” That’s where the problem starts
“Do you have Wi-Fi?”
“Yeah the password’s on the board.”
It’s a throwaway exchange. Familiar, almost comforting in its normality. You hear it in offices, community centres, waiting rooms, anywhere people gather and expect to be connected. Sometimes it’s dressed up slightly differently. “That password is for the intranet,” someone might add, as if that offers reassurance.
It usually does.
And yet, in that moment, something quietly significant has just happened. Access has been granted to a network, often the same network that underpins the day to day running of the organisation, with little more than a shared phrase written on a wall or handed over at reception. No context. No control. No real understanding of what follows.
For most organisations, this doesn’t feel like a problem. It feels like service. A small gesture of convenience in a world where connectivity is expected. And, to be fair, the thinking behind it is not entirely misplaced. Many will have made some attempt at separation. A guest network here, a different SSID there. Enough, perhaps, to tick a mental box and move on.
But that line of thinking only answers one question. Can someone get into our systems?
It does not answer the more uncomfortable one. What are people exposed to while they are on our network?
Large enterprises confronted this question years ago. Not out of curiosity, but necessity. As networks expanded and threats became less theoretical, the idea that access could be governed by a shared password began to look increasingly fragile. In its place came a quieter shift towards identity, towards the principle that access should be granted deliberately, not assumed. Technologies such as IEEE 802.1X became commonplace, not because they were fashionable, but because they enforced a simple discipline. You do not get access simply because you know the password.
Somewhere along the way, much of the mid sized market took a different path.
Their evolution was faster, less structured. What began as a relatively contained IT environment, a few servers, a handful of applications, became something altogether more complex. Cloud services arrived. SaaS platforms multiplied. Mobile devices blurred the boundary between inside and outside. Before long, everything was connected.
And yet, the underlying approach to access often did not change. The network grew, but the controls did not grow with it. A password remained a password, whether it was protecting a single broadband line or a fully connected digital estate.
The result is an environment that appears segmented on the surface, but is often far more fluid in practice. Guest networks that are not quite separate. Credentials that are widely shared. Access that feels controlled, but is not meaningfully governed.
It is, in many cases, the illusion of separation.
That illusion matters less when everything behaves as expected. But networks are not static places. They are lived in environments, shaped by the people and devices that use them. When someone connects to a guest network, they are not entering a vacuum. They are entering an experience, one that is implicitly endorsed by the organisation providing it.
In some environments, that responsibility carries more weight than we like to admit.
Take a community setting supporting people living with dementia. It is a place built on care, trust, and safeguarding. People move through it with different levels of awareness, often relying on the environment around them to be safe by default.
Now place open internet access into that setting.
A person connects. They browse without context, without filters, without an understanding of where a link might lead. They are not making a conscious decision to step into risk, but they can still end up there. Inappropriate or harmful content appears on a screen in a public space. A staff member sees it. Others may see it.
Nothing has been breached. No system has been compromised.
And yet something has gone wrong.
The environment has failed to protect the people within it.
This is the part that is rarely discussed. Guest access is often framed as a low risk concession, something safely contained at the edge. In reality, it is an extension of the organisation’s digital footprint, with all the responsibility that entails.
None of this requires an enterprise scale response. The controls that make a meaningful difference are not especially exotic. Filtering known malicious domains. Applying a degree of category based restriction. Introducing even light touch authentication so access is not entirely anonymous. Above all, creating some level of visibility, an understanding of what is actually happening, rather than what is assumed to be happening.
The technology to do this has become quietly accessible. Platforms such as Cloudflare and Zscaler have reduced what was once a specialist capability into something that can be introduced without dismantling existing networks. But the technology is not really the point.
The point is intent.
Once an organisation decides that guest access is something to be designed, rather than simply provided, the conversation changes. It moves away from “we have Wi-Fi” towards a more interesting question. What kind of environment are we creating for the people who use it?
From there, other insights begin to emerge. Patterns of usage. Times of activity. The subtle ways in which physical spaces are actually experienced, rather than how they are assumed to be used. At that point, what began as a question about Wi-Fi starts to touch something broader, the relationship between digital infrastructure and real world behaviour.
But it always starts in the same place.
“Do you have Wi-Fi?”
“Yeah the password’s on the board.”
It sounds like good service.
In reality, it is often just uncontrolled access to an unmanaged environment, one that few organisations have truly stopped to consider, and fewer still have chosen to understand.
