Your Firewall Won't Save You From Being Badly Run
A firewall cannot save you from being badly run.
That is how this weekβs podcast opens, and it is the sentence most likely to land in the complaint inbox. Good. Let it.
For years, small businesses have been sold the firewall as the big wall around the castle. It is a lovely image. Very comforting. Also dangerously incomplete.
Here is the uncomfortable truth. A firewall is not a wall. It is a computer sitting at the edge of your network. It runs software. It has management access. It has authentication paths. It has cloud integrations. It has vulnerabilities. And when it fails, everybody suddenly discovers they had a governance problem wearing a hardware badge.
This week, the whole cast sat round the table, because this topic deserves an argument. Mauven on the NCSC framing. Corrine on attacker behaviour. Graham defending the listener who inherited a mess. Lucy on accountability, with what she cheerfully calls a governance hammer. And me, being accused of being difficult for asking people to prove things.
The Firewall Is a Layer, Not a Religion
I am not anti firewall. Nobody sensible is saying remove them. I am anti worship.
A firewall is not a religion. It does not forgive sins. It does not absolve poor patching. It does not fix weak identity. It does not test your backups. It does not train your staff. It does not remove old users. It does not document who owns risk.
And it does not become safe because the dashboard is green. As Lucy put it on the episode, green dashboards are bedtime stories with traffic lights.
The problem is that many businesses were told, for years, that the firewall was the main answer. So yes, the industry shares the blame. Vendors sold boxes. Some managed service providers sold bundles. Business owners bought what they were told to buy. That may explain the mess. It does not excuse leaving it there. Inherited risk is still risk. And once you understand the risk, doing nothing becomes a decision. Doing nothing is not neutral. It is a choice with worse paperwork.
What Defence in Depth Actually Means
Defence in Depth means you do not rely on one control to protect the whole business. You use multiple layers. If one fails, another layer slows the attacker, limits the damage, or helps you spot the problem.
The National Cyber Security Centre describes this as using multiple security measures to reduce single points of failure. That phrase matters: single points of failure. Because that is exactly what attackers look for. One exposed system. One weak identity. One forgotten admin account. One unpatched device. One trusted supplier. One backup console with too much power.
Graham laid out the layer model on the episode, and it is worth writing down: physical access, network, endpoint, identity, applications, data, backups, people, monitoring, and governance. To which I added the one everyone forgets. Ownership. Without ownership, layers become theatre. A control without an owner degrades. A control without monitoring becomes blind. A control without testing becomes belief. And belief is great if you are choosing curtains. Less great when ransomware turns up.
The Week That Proved the Point
We did not pick Defence in Depth out of the air. We picked it because of a security appliance vendor having the sort of few months nobody puts in the glossy brochure.
Over the turn of this year, Fortinet disclosed a pair of authentication bypass vulnerabilities in its FortiCloud single sign-on feature, tracked as CVE-2025-59718 and CVE-2025-59719. A crafted login message could let an unauthenticated attacker walk straight past the sign-on, if that cloud feature was enabled. Those flaws were exploited in the wild within days. Then, in late January, Fortinet disclosed a third, separate flaw, CVE-2026-24858, which worked even against devices that had been fully patched against the first two. The US Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue.
I want to be precise here, because this is not Fortinet bad, everyone else good. That would be lazy. Every major edge vendor gets targeted. Microsoft has vulnerabilities. Cisco has them. Palo Alto has them. SonicWall has them. Everyone does. Firewalls, VPNs, and remote access devices sit in a privileged position, and that makes them valuable targets.
The point is not the brand. The point is the response. When a firewall vendor has an exploited authentication bypass, the correct response is not smug reassurance. It is evidence. What devices do we have? Which versions? Was the feature enabled? Was management exposed? Were logs checked? Were accounts reviewed? Who signed off the outcome?
And here is the line I want every business owner to keep. Patching is not a time machine. It closes the known hole. It does not prove nobody walked through it yesterday.
How to Turn This Into a Competitive Advantage
Being able to answer hard questions is a sales asset, not just a defence.
Procurement is asking. Clients, insurers, and larger partners increasingly want to know whether you took reasonable steps. A business that can produce an asset list, a patch process, and evidence of who owns risk wins tenders that a business hiding behind βour MSP handles itβ loses.
Evidence beats reassurance. If you only buy reassurance, you will be sold reassurance. The firms that ask their providers for proof get better service, because providers perform better when customers ask for evidence. That is a quiet commercial edge.
You become the safe supplier. In a supply chain full of single points of failure, being the link that can demonstrate layered protection makes you the easy yes for a nervous buyer.
How to Sell This to Your Board
Four arguments that land without scaremongering.
The risk is documented by the government, not a vendor. The Cyber Security Breaches Survey 2025/2026 found 43% of businesses identified a breach or attack last year. That is an official statistic, harder to dismiss than a marketing report.
The basics are still not done. Only 24% of UK businesses have the full set of five Cyber Essentials technical controls. Being in that minority is a defensible, demonstrable position.
Defence in Depth is not a spending spree. You do not need a bank-grade security team to separate guest Wi-Fi, remove old users, turn on strong multi-factor authentication, restrict admin access, and test backups. Most of the gaps attackers exploit are boring and cheap to close.
Doing nothing is now a decision the board owns. Once the risk is understood, inaction is a choice, and it is the choice a solicitor will ask about later.
What This Means for Your Business
The episode ends with ten things to do this week. Here are the five that matter most for a typical 20-person firm.
-
Name the owner. Write down the person responsible for cyber risk decisions. Not the person who fixes printers. The person who owns the risk.
-
Get the asset list. Ask your IT provider for a list of your edge devices and their firmware versions. If they cannot produce it quickly, that tells you something.
-
Close the front door. Make sure firewall and remote-access management is not exposed to the internet unless there is a specific, controlled, logged reason. Read our guidance on why RDP belongs behind a VPN.
-
Test a restore. Do not trust a backup job that says success. Restore something, open it, prove it works. And make sure a compromised admin account cannot delete the backups.
-
Ask for evidence, not fog. βWe are awareβ is not an answer. Ask what is monitored, what is logged, what gets patched, and who signs off risk. If that annoys someone, good.
Defence in Depth is not a slogan. It is not a vendor bundle. It is not a certificate. It is not a firewall with a fancy name, and it is not a green dashboard and a monthly report. It is layered protection against single points of failure, detection when prevention fails, recovery when detection is too late, and ownership before the solicitor asks awkward questions.
Stop pretending your firewall is the strategy. It is a layer. Build the rest.
Listen to the Full Episode
The full round-table discussion, including Corrineβs threat reality check and Lucyβs MSP accountability segment, is available now on the podcast. Listen wherever you get your podcasts, or via the player on this page.
Related Posts: