Skip to content

Do I Need a Firewall? A Plain-English Guide for Small Business

2026-04-05 · DigitalBridge Team

Do I Need a Firewall? A Plain-English Guide for Small Business

The short answer is yes, you need a firewall. The longer answer is that you probably already have one -- it's just a question of whether it's doing enough for your business.

Firewalls are one of the most common cybersecurity tools in use. According to a 2025 VikingCloud survey, 91% of small and mid-sized businesses use firewalls as part of their defenses. But there's a catch: among businesses with fewer than 20 employees, only 29% have firewall and network monitoring tools in place. If you're in that smaller category, this guide is especially for you.

What a Firewall Actually Does

Think of a firewall as a bouncer at the door of your network. Every piece of data that tries to come in from the internet -- or go out from your network -- has to pass through the bouncer first. The firewall checks each piece of traffic against a set of rules and decides: let it through, or block it.

Without a firewall, your network is an open door. Any device connected to the internet can be probed, scanned, and potentially exploited by automated tools that sweep the internet constantly, looking for easy targets. These aren't targeted attacks -- they're bots testing every address they can find. A firewall stops the vast majority of this noise before it ever reaches your devices.

Research from Spacelift's 2026 cybersecurity report found that installing firewall and antivirus software lowers the chances of malware infections by 85%. That's a significant reduction from a basic protective measure.

Your Router's Built-In Firewall

If you have a router -- and if you have internet service, you almost certainly do -- it likely has a basic firewall built in. This is called NAT (Network Address Translation), and it works by hiding the devices on your internal network behind a single public address. From the outside, attackers can see your router but can't directly see or reach your computers, printers, or other devices behind it.

For a very small business -- say, one to five people doing basic office work -- your router's built-in firewall may be adequate, especially if you:

  • Keep the router's firmware updated
  • Change the default admin password
  • Disable remote management (the ability to access your router settings from outside your network)
  • Use strong WiFi encryption (WPA2 or WPA3)

But "adequate" has limits. A basic router firewall only looks at where traffic is going, not what's inside it. It won't detect malware hidden in a downloaded file. It won't block an employee from visiting a phishing website. It won't alert you if a device on your network starts communicating with a known malicious server.

Software Firewalls vs. Hardware Firewalls

There are two main categories of firewall, and they serve different purposes.

Software firewalls run on individual devices. Windows Defender Firewall (built into every Windows PC) and macOS's built-in firewall are software firewalls. They protect the specific device they're installed on by controlling which applications can send or receive network traffic.

Software firewalls are useful as a second layer of defense. If something gets past your network firewall, the software firewall on each device is the next line of defense. The good news: if you're running Windows or macOS, you already have one. Make sure it's turned on.

Hardware firewalls (also called network firewalls or appliances) sit between your internet connection and your entire network. They protect every device behind them. Your router's NAT firewall is a very basic version of this. Dedicated hardware firewalls from companies like Fortinet, SonicWall, Ubiquiti, or pfSense do much more.

A dedicated hardware firewall can:

  • Inspect the contents of network traffic (called deep packet inspection), not just the addresses
  • Block access to known malicious websites and IP addresses
  • Detect and prevent intrusion attempts in real time
  • Create separate network segments (for example, keeping your point-of-sale system on a different network than your office computers)
  • Log all network activity for review or compliance

Signs You Need More Than the Default

Your router's built-in firewall might not be enough if:

You handle sensitive data. If you work with client financial information, health records, legal documents, or credit card numbers, you likely have compliance obligations (HIPAA, PCI-DSS, etc.) that require more than basic network protection.

You have remote workers connecting to your network. VPN connections need proper firewall rules to ensure remote access is secure. A basic router typically doesn't handle this well.

You're running servers or hosting anything. If you have a web server, file server, or any service accessible from the internet, you need firewall rules that are more granular than what a consumer router provides.

You have more than 10-15 devices. As your network grows, so does your attack surface. More devices means more potential entry points and more traffic to monitor.

You've had security incidents. If you've dealt with malware, unauthorized access, or suspicious network activity, it's a signal that your current protection isn't keeping up.

You're on a shared network or commercial building. In many Northern Nevada office parks and shared commercial spaces, businesses share network infrastructure. A dedicated firewall ensures your traffic is properly separated from your neighbors'.

What a Firewall Does NOT Protect You From

This is important to understand, because firewalls are essential but they're not magic:

Phishing emails. A firewall won't stop an employee from clicking a malicious link in an email and entering their password on a fake website. That's a people problem, not a network problem.

Attacks that come through allowed channels. If your firewall is configured to allow web traffic (which it has to be, or you can't browse the internet), malicious downloads can still get through. This is where endpoint protection (antivirus) on each device matters.

Insider threats. A firewall protects your perimeter. If someone with legitimate access to your network decides to copy sensitive data to a USB drive, the firewall has nothing to say about it.

Physical access. If someone walks into your office and plugs into an ethernet port, they're inside the firewall's perimeter. Physical security matters too.

Encrypted malicious traffic. Increasingly, attackers use encrypted connections (HTTPS) to hide malicious traffic. Basic firewalls can't inspect encrypted traffic without additional configuration and certificates.

A firewall is one layer in what security professionals call "defense in depth" -- the idea that no single tool protects you from everything, but multiple overlapping layers make it very hard for an attacker to get through.

What It Costs

For a small business, your options range widely:

  • Free: Your existing router firewall plus the built-in Windows/macOS software firewalls. Adequate for very small, low-risk operations.
  • $200-$600: A business-grade firewall appliance like a Ubiquiti UniFi Security Gateway, Protectli Vault (running pfSense or OPNsense), or entry-level Fortinet FortiGate. Suitable for most small offices.
  • $600-$2,000+: A managed firewall with subscription-based threat intelligence, content filtering, and intrusion prevention. Companies like SonicWall and Fortinet offer these with annual licensing. Appropriate for businesses handling sensitive data or subject to compliance requirements.

The hardware is a one-time cost. Some vendors charge annual subscription fees for updated threat databases and advanced features.

The Bottom Line

You need a firewall. You probably already have a basic one. Whether that's enough depends on the size of your network, the sensitivity of your data, and what you'd stand to lose if something got through.

If you're not sure whether your current setup is doing its job, we can do a quick network review and tell you exactly where you stand -- and whether it's worth upgrading. Just ask.