In our recent fireside chat, we spent 45 minutes on a security gap that hides in plain sight at almost every organization: how staff actually connect to office WiFi. The short version? Most companies are relying on patterns that were never very secure to begin with, and AI has quietly turned a low-priority risk into an urgent one.
Here's what we covered, and why it matters for your network.
The problem almost everyone shares
When you strip it back, most organizations connect staff to WiFi the same way. As Andy Dancer put it during the session, it usually "boils down to a shared password." Often that shared staff password lives on the same network as guest access, just with different credentials. It's convenient. It's also a systemic risk, because a single shared secret is exactly the kind of thing that's easy to leak, guess, or steal.
For a long time, the lack of headline incidents made this feel like a theoretical problem. The reality is simpler: attackers take the easiest path available, and until recently there were softer targets elsewhere. That calculation is changing.
What AI changed
AI has lowered the barrier to WiFi attacks across the board. Phishing and credential harvesting are now more personalized, more scalable, and harder to detect. Password cracking is faster, and tools can generate plausible password guesses at volume. None of this requires an attacker to be sophisticated; it just requires them to have access to the same tools everyone else does.
A point worth sitting with: an attacker often doesn't need to be inside your building. Car parks, adjacent buildings, and directional antennas can give someone an "inside-like" presence on your network from a distance. In our demonstrations, we've shown how a fake WiFi signal broadcast stronger than the real SSID, paired with a convincing fake login page, can harvest credentials without anyone noticing.
Why "more security at login" only goes so far
The instinct is to add more checks at the point of connection. But as long as a human has to type credentials, those credentials can be stolen. More friction for staff doesn't remove the underlying exposure; it just moves it around.
There's a second problem that shows up after connection. Many security tools assume verification has already happened by the time someone is on the network. So once an attacker authenticates, they can look entirely legitimate while moving around, especially where staff and guest separation is weak.
This is also why Network Access Control (NAC) so often disappoints in practice. As Andy noted, "about 70% of NAC deployments end up sitting in monitor mode" rather than actively enforcing policy. Full prevention is operationally hard, and the helpdesk workload it generates tends to push teams toward monitoring instead of blocking.
A different approach: take the password out entirely
Iain Jewitt summed up the direction simply: "the answer is to take the employee out of the equation entirely."
That's the thinking behind Purple's staff WiFi approach. Instead of asking people to remember and type a shared password, access is tied to identity. You get gold-standard WPA Enterprise level protection, without staff entering passwords or codes. Deployment syncs with your existing identity provider, and users install an app once.
The knock-on benefits are operational as much as they are security related. Because access is tied to directory accounts, it's automatically disabled when someone leaves. There's no shared secret to rotate, and no credential for an attacker to phish.
What rollout actually looks like
A few practical questions came up from the audience:
- Is it disruptive? Not especially. You can run your existing setup alongside Purple during migration, and the app connects users without reconfiguring every device by hand. Most users need just a few days to install and connect. During the week of the event, one IT admin set up secure connections for employees in a hybrid working setup almost instantly.
- Does it replace NAC? Not necessarily. NAC is valuable when it's genuinely enforcing. Purple can act as a simpler secure connection layer, or as an enhancement focused on your most sensitive access points.
- Who's most at risk? Financial services and anything tied to money are common early targets, but AI-driven attacks broaden the field considerably, including disruption attacks with wider economic knock-on effects.
The takeaway
Staff WiFi is a growing attack surface, and AI is making it cheaper and easier to exploit. The fix isn't more friction at the login screen. It's moving to identity-based, passwordless authentication that enforces stronger access while taking load off IT and the helpdesk.
If you'd like to talk through what this would look like on your existing WiFi hardware, get in touch . We're happy to walk you through a migration path.
We've only scratched the surface here. The full fireside chat goes deeper into the threats that exist, potential rollouts to help and the audience Q&A.
