Your internet connection is the gateway to your entire business. Every email, every cloud application, every customer transaction, and every file transfer passes through it — making it simultaneously your most critical infrastructure asset and your most exposed attack surface. For UK businesses of all sizes, securing that connection is no longer optional; it is a fundamental operational requirement.
The threat landscape facing British businesses has evolved dramatically. State-sponsored attacks, organised criminal groups, and opportunistic hackers all target business internet connections with increasing sophistication. A poorly secured connection does not merely risk data theft — it exposes your organisation to ransomware that can halt operations for weeks, compliance failures that attract regulatory penalties, and reputational damage that can take years to repair.
At Cloudswitched, we design, implement, and manage secure internet infrastructure for businesses across London and the wider UK. This guide distils our hands-on experience into a comprehensive, practical framework covering everything from firewall configuration and UTM appliances to DNS filtering, DDoS protection, VPN deployment, network segmentation, intrusion detection, Cyber Essentials certification, and regular security audits. Whether you are hardening an existing setup or building from scratch, this is the roadmap you need.
The Internet Threat Landscape for UK Businesses
Before diving into specific countermeasures, it is worth understanding what you are defending against. The types of attacks targeting business internet connections have shifted considerably in recent years, and your defences need to reflect the current reality rather than yesterday's threat model.
As the chart above illustrates, the majority of threats arrive through the internet connection itself — via email, web traffic, or direct attacks on internet-facing services. Each of the security layers covered in this guide addresses one or more of these attack vectors, and together they create a defence-in-depth posture that dramatically reduces your risk.
1. Firewall Configuration: Your First Line of Defence
A properly configured firewall is the cornerstone of any secure business internet connection. It sits between your internal network and the internet, inspecting every packet of data and enforcing rules about what traffic is permitted in and out. Yet an alarming number of UK businesses are running firewalls with default configurations, outdated firmware, or overly permissive rule sets that render them largely ineffective.
Essential Firewall Configuration Practices
A firewall is only as good as its configuration. Out of the box, most business firewalls ship with settings designed for ease of setup rather than security. Hardening your firewall requires a methodical approach covering several key areas.
Default-deny policy: Configure your firewall to block all traffic by default and only allow explicitly approved connections. This is the opposite of the “default-allow” approach many businesses inadvertently operate, where everything is permitted unless specifically blocked. A default-deny stance means that even if a new threat emerges that your rules do not specifically address, it will be blocked automatically.
Stateful packet inspection: Ensure your firewall performs stateful inspection, tracking the state of active connections and only permitting return traffic that matches an established session. This prevents attackers from injecting packets that appear to be part of legitimate conversations.
Outbound filtering: Most businesses focus exclusively on inbound threats, but outbound filtering is equally critical. It prevents compromised devices on your network from communicating with command-and-control servers, exfiltrating data, or participating in botnets. Configure your firewall to restrict outbound traffic to only the ports and protocols your business genuinely requires.
Regular rule audits: Firewall rules accumulate over time as staff members request exceptions and new services are deployed. Without regular audits, rule sets become bloated with obsolete entries, overly broad permissions, and conflicting directives. Schedule quarterly reviews to remove unused rules, tighten broad permissions, and document the business justification for every active rule.
When conducting a firewall rule audit, start by enabling logging on all rules for a two-week period. This gives you empirical data on which rules are actually being triggered by legitimate traffic and which have not matched a single packet in months. Rules that show zero hits are strong candidates for removal — but always verify with the relevant team before deleting, as some rules may protect services that are only used periodically, such as year-end reporting systems.
2. UTM Appliances: Unified Security at the Perimeter
Unified Threat Management (UTM) appliances take the concept of a traditional firewall and extend it into a comprehensive, multi-layered security platform. Rather than deploying separate devices for your firewall, antivirus gateway, intrusion prevention, content filtering, and VPN termination, a UTM consolidates all of these functions into a single appliance.
For small and medium-sized businesses, UTM appliances offer a compelling balance of capability and manageability. Products from vendors such as Fortinet (FortiGate), SonicWall, WatchGuard, and Sophos provide enterprise-grade security features in form factors and at price points designed for the SME market. A typical UTM appliance for a 50-user office might cost between £800 and £2,500 for the hardware, plus £500–£1,500 per year for subscription-based threat intelligence and feature licensing.
The key advantage of UTM is operational simplicity. Instead of managing five or six separate security tools with different dashboards, update schedules, and licensing models, your IT team or managed service provider manages one integrated platform. This reduces the risk of configuration gaps between separate products and ensures that all security functions share the same threat intelligence in real time.
- Packet filtering and stateful inspection only
- No built-in antivirus or malware scanning
- Separate appliances needed for IDS/IPS, VPN, content filtering
- Multiple dashboards and licensing agreements
- Threat intelligence not shared between tools
- Higher total cost of ownership for equivalent protection
- Firewall, antivirus, anti-spam, IDS/IPS in one device
- Integrated web and application filtering
- Built-in VPN server for remote access
- Single management dashboard and unified logging
- Real-time shared threat intelligence across all modules
- Lower total cost of ownership with simplified management
3. DNS Filtering: Blocking Threats Before They Load
DNS filtering is one of the most underutilised yet effective security measures available to businesses. Every time a user or device on your network attempts to visit a website, it first makes a DNS query to translate the domain name into an IP address. DNS filtering intercepts these queries and blocks requests to known malicious, phishing, or otherwise undesirable domains — stopping threats before any content is even downloaded.
Services such as Cisco Umbrella (formerly OpenDNS), Cloudflare Gateway, and Webroot DNS Protection maintain constantly updated databases of malicious domains. When a user clicks a phishing link in an email or a piece of malware attempts to contact its command-and-control server, the DNS query is blocked at the resolver level and the connection never completes.
Implementing DNS filtering is remarkably straightforward. At its simplest, you change the DNS server settings on your firewall or DHCP server to point to the filtering provider's resolvers. More advanced deployments use lightweight agents on endpoints to enforce DNS filtering even when devices are off the corporate network — essential for remote and hybrid workers.
The cost is typically modest: £1.50–£3 per user per month for business-grade DNS filtering, making it one of the highest-value security investments available. It adds a protective layer that operates independently of your firewall, endpoint protection, and email security — meaning that even if one of those layers is bypassed, DNS filtering can still block the threat.
4. Web Content Filtering: Controlling What Enters Your Network
While DNS filtering blocks access to known-malicious domains, web content filtering provides a more granular level of control over what web traffic is permitted on your business network. Content filtering inspects the actual HTTP and HTTPS traffic (using SSL inspection on your UTM or proxy), categorises websites by type, and enforces your acceptable use policy in real time.
This goes beyond simple security. Web content filtering also addresses productivity, bandwidth management, and legal liability. Blocking categories such as gambling, adult content, file-sharing sites, and social media during business hours reduces distractions, prevents bandwidth-hungry streaming from degrading performance for critical applications, and protects the business from potential legal exposure.
From a security perspective, content filtering adds a critical layer by blocking access to categories commonly associated with malware distribution — newly registered domains, uncategorised sites, peer-to-peer networks, and anonymising proxies. These are the categories that attackers routinely exploit because they fall outside the signature-based detection used by traditional antivirus tools.
Modern web content filtering requires SSL/TLS inspection to be effective, as over 95% of web traffic is now encrypted. Without SSL inspection, your content filter can only see the domain name, not the actual page content or file downloads. However, enabling SSL inspection requires deploying a trusted root certificate to all managed devices, and certain categories — such as banking and healthcare portals — should be exempted to avoid breaking certificate pinning and to maintain user privacy for sensitive transactions. Plan your SSL inspection deployment carefully and communicate the policy clearly to staff.
5. DDoS Protection: Keeping Your Connection Available
A Distributed Denial of Service (DDoS) attack floods your internet connection with enormous volumes of traffic, overwhelming your bandwidth and rendering your online services — website, email, VoIP, cloud applications — completely inaccessible. DDoS attacks have become cheaper and easier to launch, with “DDoS-for-hire” services available on the dark web for as little as £20, putting this capability within reach of disgruntled competitors, ex-employees, or even bored teenagers.
For businesses that rely on internet connectivity for daily operations (which in 2025 means virtually every business), DDoS protection is essential. The approach you take depends on your risk profile and the services you expose to the internet.
ISP-level DDoS mitigation: Many business-grade ISPs now offer DDoS scrubbing as part of their service or as an add-on. Traffic destined for your IP range passes through the ISP's scrubbing centres, which detect and filter volumetric attacks before they reach your premises. This is effective against the most common flood-based attacks and typically costs £50–£200 per month.
Cloud-based DDoS protection: Services like Cloudflare, Akamai, and AWS Shield provide application-layer DDoS protection for your websites and web applications. They act as a reverse proxy, absorbing attack traffic across their global network while forwarding only legitimate requests to your servers. For businesses with public-facing web services, this is increasingly standard practice.
On-premises DDoS mitigation: Larger organisations or those with very high availability requirements may deploy dedicated DDoS mitigation appliances at their network perimeter. These devices can detect and respond to attacks in real time without relying on upstream providers, but they come at a significantly higher cost — typically £5,000–£25,000 for the hardware plus annual licensing.
6. VPN for Remote Access: Secure Connectivity for a Hybrid Workforce
The shift to hybrid and remote working has made secure remote access one of the most important components of business internet security. A Virtual Private Network (VPN) creates an encrypted tunnel between a remote worker's device and your business network, ensuring that data in transit cannot be intercepted — even on untrusted networks such as public Wi-Fi in coffee shops, hotels, or co-working spaces.
There are two primary VPN architectures to consider. Site-to-site VPN connects two or more office locations over the internet, creating a secure bridge between their local networks. Remote access VPN allows individual users to connect securely from any location. Most businesses with remote workers need the latter, though multi-site organisations often require both.
Modern VPN deployment has moved well beyond the clunky, unreliable experience of a decade ago. Solutions from vendors such as Cisco AnyConnect, Fortinet FortiClient, WireGuard, and the VPN capabilities built into most UTM appliances now offer seamless, always-on connectivity that runs silently in the background. Split tunnelling allows you to route only business traffic through the VPN while letting personal browsing go directly to the internet, reducing bandwidth load on your corporate connection and improving performance for remote users.
However, it is worth noting that VPN alone is no longer considered sufficient for remote access security. The zero-trust approach — which verifies every user, device, and connection attempt regardless of network location — is rapidly becoming the standard. Many businesses are adopting zero-trust network access (ZTNA) solutions alongside or in place of traditional VPN, providing more granular control over what remote users can access.
7. Network Segmentation: Containing the Blast Radius
Network segmentation divides your business network into separate zones or segments, each with its own security controls and access policies. The principle is simple but powerful: if an attacker compromises one segment of your network, segmentation prevents them from moving laterally to access other systems, data, or services.
Consider a typical office network without segmentation. Every device — workstations, servers, printers, CCTV cameras, guest devices, IoT sensors — sits on the same flat network. If a single device is compromised, the attacker has direct network access to everything else. Segmentation eliminates this risk by isolating different device types and functions into separate VLANs (Virtual Local Area Networks) with firewall rules governing traffic between them.
A practical segmentation scheme for a typical SME might include separate segments for corporate workstations, servers and infrastructure, guest Wi-Fi, VoIP phones, IoT and building management devices, and any payment card processing systems. Each segment has explicit rules about what it can communicate with — for example, IoT devices can reach the internet for firmware updates but cannot access the server segment, and guest Wi-Fi can reach the internet but nothing else on the internal network.
| Network Segment | Typical Devices | Internet Access | Internal Access |
|---|---|---|---|
| Corporate LAN | Workstations, laptops | Filtered via UTM | Servers, printers |
| Server VLAN | File servers, domain controllers | Restricted — updates only | Corporate LAN (limited ports) |
| Guest Wi-Fi | Visitor devices | Open (bandwidth-limited) | None — fully isolated |
| VoIP VLAN | IP phones, call systems | SIP provider only | None |
| IoT / Building | CCTV, sensors, access control | Vendor cloud only | None — fully isolated |
| PCI Segment | Payment terminals | Payment processor only | None — fully isolated |
8. Intrusion Detection and Prevention Systems (IDS/IPS)
While firewalls control what traffic is allowed in and out of your network based on rules, intrusion detection and prevention systems analyse the content and behaviour of permitted traffic to identify attacks that firewall rules alone would miss. An IDS monitors traffic and generates alerts when it detects suspicious activity; an IPS goes further by automatically blocking or dropping malicious traffic in real time.
Modern IDS/IPS systems use a combination of signature-based detection (matching traffic against databases of known attack patterns) and anomaly-based detection (identifying deviations from normal network behaviour). The anomaly-based approach is particularly valuable for detecting zero-day attacks and advanced persistent threats that have no known signature.
Most UTM appliances include IDS/IPS functionality as a core feature, which is one of the strongest arguments for the UTM approach discussed earlier. For businesses that need dedicated, high-performance intrusion prevention — particularly those with high-throughput internet connections or regulatory requirements — standalone IPS appliances from vendors such as Cisco, Palo Alto Networks, and Trend Micro offer deeper inspection capabilities and higher throughput.
The critical success factor for IDS/IPS is not the technology itself but how well it is tuned and monitored. An out-of-the-box IDS with default settings will generate enormous volumes of alerts, the vast majority of which are false positives. This “alert fatigue” causes security teams to ignore alerts entirely, defeating the purpose. Effective IDS/IPS deployment requires careful tuning to your specific network environment, suppression of known false positives, and a clear escalation process for genuine alerts.
9. UK Cyber Essentials Certification
Cyber Essentials is a UK Government-backed certification scheme that defines a baseline of security controls every organisation should have in place. For businesses that contract with the UK public sector, Cyber Essentials certification is often mandatory. But even for businesses that operate exclusively in the private sector, the framework provides an excellent benchmark and the certification itself demonstrates due diligence to clients and partners.
The scheme has two levels. Cyber Essentials is a self-assessment questionnaire verified by an accredited certification body. Cyber Essentials Plus includes a hands-on technical audit where the assessor actively tests your defences. The five technical controls assessed by both levels are directly relevant to securing your internet connection.
Every security measure covered in this guide — from firewall configuration and UTM deployment to DNS filtering, content filtering, VPN, network segmentation, and IDS/IPS — contributes directly to meeting or exceeding the Cyber Essentials requirements. Achieving certification is not a separate project; it is the natural outcome of implementing the practices described here.
The cost of Cyber Essentials certification itself is modest: typically £300–£500 for the basic level and £1,500–£3,500 for Cyber Essentials Plus, depending on the size and complexity of your organisation. Many cyber insurance providers also offer premium discounts for certified businesses, which can offset the certification cost entirely.
10. Regular Security Audits: Verifying Your Defences
Implementing security controls is only half the battle. Without regular audits, configurations drift, new vulnerabilities emerge, staff workarounds create gaps, and the security posture you carefully built gradually degrades. A structured audit programme ensures that your defences remain effective over time and adapt to the evolving threat landscape.
A comprehensive internet security audit should cover several key areas: firewall rule review, UTM policy verification, DNS and content filtering effectiveness testing, VPN configuration and access review, network segmentation validation (confirming that segments are truly isolated), IDS/IPS tuning and alert review, and penetration testing of internet-facing services.
The frequency of audits depends on your risk profile, regulatory requirements, and the pace of change in your environment. As a minimum baseline, we recommend the following schedule for UK businesses.
| Audit Activity | Recommended Frequency | Typical Cost |
|---|---|---|
| Firewall rule review | Quarterly | £500–£1,000 |
| Vulnerability scanning (external) | Monthly | £100–£300/mo |
| Penetration testing | Annually | £2,000–£8,000 |
| Full security posture review | Annually | £3,000–£10,000 |
| Network segmentation validation | Bi-annually | £1,000–£2,500 |
| IDS/IPS tuning and review | Quarterly | £500–£1,500 |
| VPN access audit | Quarterly | £300–£800 |
For businesses with a managed IT provider like Cloudswitched, many of these audits are incorporated into the ongoing service. Continuous monitoring, automated vulnerability scanning, and regular configuration reviews happen as part of the standard managed service — reducing the need for expensive ad-hoc audit engagements and ensuring that issues are identified and remediated promptly rather than discovered months later during a periodic review.
Building a Layered Defence: How the Pieces Fit Together
None of the measures described in this guide should be relied upon in isolation. The principle of defence in depth recognises that no single security control is infallible, and the strength of your overall posture comes from the overlapping layers of protection. Each layer catches threats that may have slipped through the one before it.
Consider a real-world attack scenario: a staff member receives a phishing email containing a link to a malware distribution site. Your email security (not covered in this guide but equally important) might catch 95% of phishing emails, but this one gets through. When the user clicks the link, DNS filtering blocks the resolution of the malicious domain — attack stopped. If the domain is too new to appear in DNS blocklists, your web content filter inspects the traffic and blocks it based on the site's category or content — attack stopped. If the content filter is bypassed through an encrypted channel, your UTM's antivirus gateway scans the downloaded file and quarantines it — attack stopped. If the malware variant is unknown to the antivirus engine, your IDS/IPS detects anomalous outbound traffic patterns when the malware attempts to communicate with its command-and-control server — attack stopped. And if the malware does establish a foothold, network segmentation prevents it from accessing your critical servers and data.
This is what layered defence looks like in practice. No single layer needs to be perfect because the others provide a safety net. The more layers you implement, the more resilient your business becomes.
Implementation Priority: Where to Start
If you are building your internet security posture from scratch or looking to strengthen an existing setup, it helps to prioritise. The following scores reflect the relative impact of each measure based on our experience securing UK business networks, weighted by both threat reduction and implementation complexity.
Frequently Asked Questions
Secure Your Business Internet Connection Today
Securing your business internet connection is not a one-off project — it is an ongoing commitment that requires the right technology, expert configuration, and continuous management. The ten measures covered in this guide — firewall configuration, UTM appliances, DNS filtering, web content filtering, DDoS protection, VPN for remote access, network segmentation, intrusion detection and prevention, Cyber Essentials certification, and regular security audits — form a comprehensive defence-in-depth strategy that will protect your business against the vast majority of threats.
At Cloudswitched, we specialise in designing, deploying, and managing secure internet infrastructure for London businesses and organisations across the UK. Whether you need a full security transformation or targeted improvements to your existing setup, our team has the expertise to deliver enterprise-grade protection at a price that works for your business.
Protect Your Business Internet Connection
Not sure where your internet security stands? Our team will conduct a comprehensive assessment of your current setup and provide a clear, prioritised action plan — no jargon, no obligation. Get in touch today to start building a more secure, more resilient internet infrastructure for your business.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.