A firewall sits between your office network and the internet and decides what traffic is allowed through. It inspects the connections going in and out and blocks anything malicious, unauthorised, or that simply has no business being there. Where antivirus protects an individual computer, a firewall protects the network as a whole - it controls what can reach your laptops, servers and phones in the first place.
Does your business need one? Almost certainly, and in most cases you already have a basic firewall without realising it. The useful question is whether the one you have is good enough, and that is worth a few minutes to understand.
A firewall protects the network, not the device
Picture your office as a building. Antivirus and EDR (endpoint detection and response) are like security staff posted inside each room, watching what happens on individual laptops and servers. A firewall is the desk at the front door, checking who and what is allowed into the building at all.
You want both. EDR catches a threat that has already landed on a device, such as a dodgy attachment someone has opened. A firewall stops a lot of that traffic before it ever reaches the device. They cover different ground and neither replaces the other. If you have read our article on EDR, think of the firewall as the layer that sits in front of it.
Your ISP router has a firewall, and it usually isn't enough
The broadband router your internet provider supplied almost certainly has a basic firewall built in. It does one useful thing well: it blocks unrequested connections coming in from the internet. For a home, that is broadly fine.
For a business it falls short in a few ways that matter:
It only checks whether traffic was requested, not whether it is actually safe. If a member of staff clicks through to a malicious website, that request still gets through.
It offers little or no web filtering, so there is nothing stopping someone reaching a known phishing or malware site.
It rarely lets you see what is happening on your network, or warns you when something looks wrong.
It is built down to a price, gets firmware updates slowly, and is often left running on its default settings.
For a couple of laptops in a back office, that might be a risk you can live with. For a team of fifteen handling client data, card payments or NHS information, it is the thin end of the wedge.
What a proper business firewall adds
A dedicated business firewall - you will often hear it called a UTM, or Unified Threat Management appliance - bundles several security jobs into one box at the edge of your network. Typically it gives you:
Intrusion prevention, which spots and blocks the patterns of an active attack as it happens.
Web and content filtering, stopping staff reaching malicious or inappropriate sites and blocking known-bad domains.
Gateway anti-malware, scanning traffic for known threats before it lands on a device.
VPN, an encrypted tunnel so remote and home workers can reach office systems safely.
Logging and visibility, a record of what is connecting where, which is invaluable when something goes wrong.
This is the level of protection most UK SMEs should be aiming for. It is the difference between a locked front door and a door with a lock, a camera, and someone watching the feed.
Where Next-Generation Firewalls go further
A Next-Generation Firewall (NGFW) is the more capable end of the same family. The two features that set it apart are application awareness and deep packet inspection.
An older firewall sees traffic as anonymous data flowing through a numbered port. An NGFW can tell that the traffic is Microsoft 365, or a particular cloud accounting package, or someone streaming video, and apply different rules to each. It can also look inside encrypted traffic to check it is genuinely what it claims to be. So you can allow the business apps your team relies on while blocking the risky ones, rather than reaching for the blunt instrument of switching whole categories off.
Not every business needs the full NGFW feature set, and the licensing costs more. Part of choosing a firewall is matching the appliance to how you actually work, rather than buying the biggest box on the shelf.
Why this matters now: insurance and compliance
For years a firewall was something IT quietly looked after and nobody else thought about. That has changed, and the driver is money.
Cyber insurance has become close to essential for UK businesses, and insurers have tightened their requirements considerably. A cyber insurance proposal will ask whether you have a properly configured firewall protecting your network. Answer yes, and if you later make a claim, the insurer can investigate whether that was actually true. A firewall that was missing, left on factory defaults, or never updated can be grounds to reduce or refuse a payout, at exactly the moment you need the money most.
The same expectation runs through the security frameworks UK businesses are increasingly asked to meet. Cyber Essentials, the government-backed scheme, makes firewalls one of its five core controls. It requires that boundary firewalls have their default administrative passwords changed, that unrequested inbound connections are blocked by default, and that any rule allowing inbound traffic has a documented business reason. If you bid for public-sector or larger corporate contracts, or work with NHS data, you will likely be asked for Cyber Essentials, and the firewall control is one of the first things assessed.
Worth knowing: certifying to Cyber Essentials currently includes free cyber insurance, with £25,000 of cover, for UK-domiciled organisations whose turnover is under £20 million, provided the whole organisation is certified. The firewall work that satisfies the framework can therefore also help satisfy your insurer.
A firewall is not set-and-forget
This is the part that catches people out. Installing a good firewall is not the finish line. To keep doing its job, it needs ongoing attention:
Firmware updates. Manufacturers patch security flaws regularly, and an unpatched firewall has been the way into more than one business breach.
Rule reviews. Over time, rules get added for a temporary need and never removed. Each forgotten rule is a small hole, and they need pruning.
Monitoring. The logs and alerts only help if someone is actually reading them and acting when something looks off.
A firewall left untouched for three years can end up less secure than no firewall at all, because it gives a false sense of safety while quietly running known-vulnerable software.
Why most SMEs have their firewall managed
That ongoing work is exactly why most small and medium businesses do not leave their firewall to look after itself, and rarely hand it to a member of staff as a side job. A managed firewall is configured properly at install, kept patched, reviewed periodically, and monitored, usually as part of a wider IT support arrangement so it sits alongside your other security layers rather than in isolation. It also means that when an insurer or an auditor asks the awkward question, you have a clear, honest answer and the records to back it up.
If you are not sure what is protecting your network today, or whether your current setup would stand up to an insurance claim, it is a sensible thing to check. We work with businesses across Berkshire, Oxfordshire and London to specify, install and manage business firewalls, and we are happy to look at what you have and tell you plainly whether it is fit for purpose.