The Guide to Network Security for Small Businesses

There is a persistent and dangerous myth among UK small businesses that cyber criminals are only interested in large enterprises. The reasoning goes something like this: "We are a small company with 30 employees — why would a hacker target us when they could go after a bank or a multinational corporation?" The reality is precisely the opposite. Small businesses are disproportionately targeted by cyber attacks precisely because they tend to have weaker defences, less security expertise, and fewer resources to detect and respond to intrusions.

According to the UK Government's Cyber Security Breaches Survey, 32 per cent of UK businesses experienced a cyber security breach or attack in the most recent reporting period — and among small businesses, the figure is growing year on year. The average cost of a cyber security breach for a UK small business is estimated at between £8,000 and £12,000, though for more serious incidents involving data loss, ransomware, or regulatory penalties, costs can escalate rapidly into six figures.

Network security — the practice of protecting your business network and connected devices from unauthorised access, misuse, and attack — is the foundation upon which all other cyber security measures rest. Without a secure network, even the best endpoint protection, user training, and security policies can be circumvented. This guide provides a comprehensive, practical framework for network security that is specifically tailored to the needs, budgets, and technical capabilities of UK small businesses.

Start with a Business-Grade Firewall

Your firewall is the front door of your network — the device that sits between your internal network and the internet, inspecting every packet of data that enters and leaves your business. The consumer-grade router supplied by your broadband provider is not a firewall. It provides basic Network Address Translation (NAT) and rudimentary packet filtering, but it lacks the sophisticated inspection capabilities, logging, and security features that a business network requires.

A business-grade firewall — sometimes called a Unified Threat Management (UTM) appliance or Next-Generation Firewall (NGFW) — provides a comprehensive suite of security functions in a single device. These typically include stateful packet inspection, intrusion detection and prevention (IDS/IPS), content filtering, application control, VPN termination, anti-malware scanning, and detailed logging and reporting.

For UK small businesses, the leading firewall options include Cisco Meraki MX (cloud-managed, excellent for businesses with managed IT support), Fortinet FortiGate (powerful features at competitive pricing), SonicWall TZ series (good value for small offices), and WatchGuard Firebox (strong reporting and compliance features). Prices for a small business firewall suitable for 25 to 50 users typically range from £500 to £2,000 for the hardware, plus annual licence subscriptions of £300 to £800 for security services such as IPS, content filtering, and anti-malware.

Segment Your Network with VLANs

Network segmentation — dividing your network into separate zones with controlled traffic flow between them — is one of the most effective security measures available to small businesses, yet it is also one of the most commonly neglected. In a flat, unsegmented network, every device can communicate freely with every other device. If a single workstation is compromised by malware, the attacker can move laterally across the entire network, accessing servers, other workstations, printers, IP cameras, and any other connected device.

Virtual LANs (VLANs) provide network segmentation without requiring separate physical networks. A VLAN is a logical partition of a network that isolates traffic — devices on one VLAN cannot communicate with devices on another VLAN unless a router or firewall explicitly permits the traffic. This means you can create separate network zones for different purposes, each with its own security policies.

A sensible VLAN structure for a UK small business might include a Corporate VLAN for employee workstations and laptops, a Server VLAN for on-premise servers and storage (with restricted access from the corporate VLAN), a Guest VLAN for visitor Wi-Fi (completely isolated from all internal resources), a VoIP VLAN for IP telephones (ensuring voice quality and preventing phones from being used as network entry points), and an IoT VLAN for printers, cameras, and smart devices (isolated because IoT devices are notoriously insecure and frequently targeted).

Secure Your Wi-Fi Network

Wi-Fi is often the weakest point in a small business network because it extends your network beyond the physical boundaries of your premises. An attacker does not need to enter your building to access an insecure Wi-Fi network — they only need to be within radio range, which can extend to the car park, the building next door, or even across the street.

Use WPA3-Enterprise (or at minimum WPA2-Enterprise) for your corporate Wi-Fi. Enterprise-mode authentication uses individual credentials for each user — typically integrated with your Microsoft 365 or Active Directory accounts — rather than a shared password that everyone knows. When an employee leaves, you disable their account and they immediately lose Wi-Fi access. With a shared password (WPA2-Personal), you would need to change the password and redistribute it to every remaining employee — something that rarely happens in practice.

Create a separate guest Wi-Fi network on its own VLAN, completely isolated from your internal resources. Guests should be able to access the internet but nothing else. Apply bandwidth limits to prevent a guest from consuming all your available bandwidth, and consider enabling a captive portal that requires guests to accept your acceptable use policy before connecting.

Ensure your access points are running the latest firmware and are centrally managed. Unmanaged access points with default credentials are a common attack vector. Cloud-managed Wi-Fi solutions like Cisco Meraki, Aruba Instant On, or UniFi provide centralised firmware management, rogue access point detection, and wireless intrusion prevention — all critical capabilities for maintaining Wi-Fi security.

Implement DNS Filtering

DNS filtering is one of the simplest and most cost-effective security measures available to small businesses. Every time someone on your network visits a website, their device sends a DNS query to translate the domain name (like www.example.com) into an IP address. A DNS filter intercepts these queries and blocks requests to known malicious domains — phishing sites, malware distribution servers, command-and-control infrastructure, and other threats — before the connection is ever established.

Unlike traditional web filtering that inspects the content of web traffic, DNS filtering works at the network level and applies to all devices on your network, including those you cannot install software on — such as IoT devices, personal mobile phones on your guest network, and legacy systems. It is also extremely fast, adding negligible latency to browsing, and requires no software installation on individual devices.

Leading DNS filtering solutions for UK small businesses include Cisco Umbrella (formerly OpenDNS), Cloudflare Gateway, and DNSFilter. Many business-grade firewalls also include DNS filtering as a built-in feature. Pricing is typically between £1 and £3 per user per month — a trivial cost for a security control that blocks a significant proportion of threats before they reach your network.

Keep Everything Patched and Updated

Unpatched network devices — firewalls, switches, access points, and routers with outdated firmware — are one of the most common entry points for attackers targeting small businesses. When a vendor releases a firmware update, it often includes patches for known security vulnerabilities. If you do not apply the update, those vulnerabilities remain in your network, waiting to be exploited.

The challenge for small businesses is that network device updates are easy to forget. Unlike Windows workstations that prompt users to install updates, network devices sit quietly in server rooms and ceiling spaces, running whatever firmware they were installed with until someone remembers to check. We have encountered UK businesses running firewalls with firmware that is three or four years out of date, containing dozens of known, publicly documented security vulnerabilities.

Cloud-managed networking platforms like Cisco Meraki address this problem by managing firmware updates centrally and deploying them automatically on a schedule you define. For businesses using traditional, non-cloud-managed equipment, establish a quarterly firmware review schedule: check for updates from every network device vendor, test updates in a non-production environment where possible, and deploy them during a maintenance window. Document every update applied, including the version number and date, for your compliance records.

Monitor Your Network Continuously

You cannot protect what you cannot see. Network monitoring provides visibility into what is happening on your network in real time — which devices are connected, what traffic is flowing, whether any unusual activity is occurring, and whether your security controls are functioning correctly. Without monitoring, a breach could go undetected for weeks or months, giving the attacker ample time to exfiltrate data, establish persistence, and cause maximum damage.

For UK small businesses, network monitoring does not need to be complex or expensive. A cloud-managed networking platform like Meraki includes comprehensive monitoring as standard — device health, client connectivity, bandwidth utilisation, security events, and alerting. For businesses with traditional infrastructure, a monitoring tool such as PRTG Network Monitor (free for up to 100 sensors), Nagios, or Zabbix provides network visibility without significant cost.

At minimum, your network monitoring should alert you to firewall rule violations (blocked traffic that indicates an attack attempt or misconfigured device), unusual outbound traffic (which could indicate data exfiltration or a compromised device communicating with a command-and-control server), new or unauthorised devices appearing on the network, network device failures or performance degradation, and VPN connection anomalies. Set up email or SMS alerts for critical events so that you can respond promptly rather than discovering problems after the damage is done.

Create a Network Security Policy

Technical controls are essential, but they must be underpinned by a documented network security policy that defines your organisation's approach to network security, assigns responsibilities, and establishes procedures for ongoing management. Without a policy, security measures tend to be inconsistent, undocumented, and gradually eroded over time as ad hoc exceptions accumulate.

Your network security policy should cover acceptable use (what employees can and cannot do on the network), access control (who has access to which network resources and how access is granted, modified, and revoked), device management (standards for network devices, patching schedules, and configuration management), incident response (what happens when a security event is detected), and review schedule (how often the policy is reviewed and updated). Keep the policy concise and practical — a 50-page document that nobody reads is less effective than a 5-page document that everyone understands and follows.

For businesses pursuing Cyber Essentials certification, ISO 27001, or GDPR compliance, a documented network security policy is either explicitly required or strongly expected. Even without a formal compliance requirement, having a written policy demonstrates professionalism, provides a framework for consistent security decisions, and gives you a baseline against which to measure your security posture over time.