Business broadband cybersecurity
When businesses think about cybersecurity, they think of strong passwords, multi-factor authentication, and using VPNs for network access.
These are valid solutions, but few consider the security of their broadband connection itself. Malicious attackers may intercept and steal your data or disrupt your operations through broadband components!
This article covers the cybersecurity of your business broadband network: the threats, the protections and the solutions.
💡 Key takeaways:
- No infallible broadband: Even a dedicated fibre optics cable is hackable. Every single broadband option has vulnerabilities.
- ADSL is most vulnerable: While the overall vulnerabilities depend more on the business’s overall cybersecurity strategy, ADSL’s slow speeds, electrical signals, and reduced support for hardware make it the easiest to attack or spy on.
- Regulations: The Service Level Agreement details the regulatory boundary between your business’s and your provider’s cybersecurity responsibilities in case of a broadband cyberattack.
Contents
- General business broadband cybersecurity
- Specific business broadband cybersecurity
- Broadband cybersecurity compliance
General business broadband cybersecurity
All broadband networks have standard cybersecurity features to help keep them safe. These are not technology-specific and are designed to secure incoming and outgoing traffic, as well as monitor the internal network in case of a successful business cyberattack.
The following table gives some examples, including how they relate to the real-world security of a typical bricks-and-mortar business:
General measures | Description |
---|---|
Firewall | Door guards: Essential for blocking unauthorised access and controlling incoming and outgoing network traffic. |
Intrusion Detection System (IDS) | Security monitors: Monitors network traffic for suspicious activity and potential threats. |
Intrusion Prevention System (IPS) | Perimeter barbed wire: Actively blocks detected threats based on pre-defined security policies. |
Secure Wi-Fi Configuration | Internal door locks: Using strong encryption methods (WPA3), disabling WPS, and changing default router passwords. |
Virtual Private Network (VPN) | Bullet-proof car: Encrypts internet traffic, providing a secure connection over public networks. |
Regular Firmware Updates | Regular security upgrade: Ensures that the router has the latest security patches to protect against vulnerabilities. |
Network Segmentation | Safe for valuables: Divides the network into segments to limit the spread of breaches and enhance security. |
Physical Security | National police: Protects routers and networking equipment from physical tampering or theft. |
Encryption | Hiding the keys under a mat: Encrypts data in transit to prevent interception by unauthorised parties. |
Secure Router Management | Safe keybox: Access to the router's management interface should be secured with strong passwords and, if possible, multi-factor authentication. |
Broadband cybersecurity weaknesses
All broadband technologies have standard security features because they have common weaknesses.
Weakness | Description |
---|---|
Tampering | All signals, even in wired connections, can be intercepted. If unencrypted, it can lead to potential information leakage. |
Jamming | All signals, both wired and wireless, can be jammed to disrupt the connection to a business. |
Routers | All connections have routers acting as the first line of defense, but also as an exposed attack surface. |
Low Bandwidth Broadband | Slower connections are more vulnerable to DDoS attacks that can quickly overwhelm the bandwidth. They also cannot support advanced real-time monitoring and threat detection, which require substantial bandwidth. |
High Bandwidth Broadband | The fastest connections can support the most advanced cybersecurity methods and technologies, but if an attack occurs, sensitive information can be leaked more quickly. |
Specific business broadband cybersecurity
Every broadband technology has its specific weaknesses based on its design. This section covers the specific shortfalls of each standard broadband technology and what measures your business must take to remain secure.
ADSL broadband
ADSL broadband is now considered a legacy technology in the UK. While still in use in existing business broadband contracts, renewing or acquiring an ADSL service is no longer possible. In fact, by January 2027, all ADSL connections will be phased out as part of the “Big Switch Off“.
Remaining ADSL connections need to be weary that it is one of the most vulnerable technologies due to its lack of bandwidth, lessened firmware support, outdated hardware and the more manageable disruption and interception of its electrical signals.
Here are some details on these risks, as well as things your business can do to mitigate them:
Weakness | Description | Security Considerations |
---|---|---|
Line Tapping | Physical tapping of ADSL copper wires to intercept data transmissions | - Ensuring strong encryption (e.g. https) - Inspecting cabling for any tapping devices. - Implementing Intrusion Detection Systems (IDS). |
Limited Bandwidth for Monitoring | ADSL is slow and often can't handle the additional bandwidth needs of real-time monitoring tools. | - Use basic monitoring tools - Upgrading to fibre optics. |
DSL Signal Interference | Electrical signals travelling through copper wires can be easily disrupted using magnetic fields. | - Use cable shielding to reduce interference. - Monitoring signal quality - Using ADSL splitters and filters for redundancy. |
Outdated Authentication | As an outdated technology, many ADSL routers come with outdated security features (e.g. weak default passwords, No 2FA, no updates support). | - Purchasing a modern ADSL router - Upgrading to fibre-optics - Changing default passwords and enabling 2FA. - Updating router firmware (if available) - Disabling unused routers and services without firmware updates. |
DDoS | While all technologies are vulnerable, ADSL-hosted services have low bandwidth, making them easier to overhwhelm. | - Upgrade to a higher bandwidth connection. |
The general advice is to upgrade to a more performant type of broadband that can support advanced threat protection and the latest hardware and firmware.
Fibre-to-the-Cabinet (FTTC)
FTTC broadband is a part-copper wire, part-fibre optic connection that leverages the ubiquity of telephony cables with the speed of fibre. It remains relevant in underserved areas like rural zones where full-fibre (FTTP) may remain unavailable. Read our FTTP vs FTTC article to understand the differences.
FTTC inherits many of the vulnerabilities of ADSL because the section between the premises and the street cabinet is still covered in copper wires and has new ones related to the telephony-fibre intersection:
Weakness | Description | Security Considerations |
---|---|---|
Line Tapping | Physical tapping of copper wires to intercept data transmissions | - Ensuring strong encryption (e.g. https) - Inspecting cabling for any tapping devices. - Implementing Intrusion Detection Systems (IDS). |
DSL Signal Interference | Electrical signals travelling through copper wires can be easily disrupted using magnetic fields. | - Use cable shielding to reduce interference. - Monitoring signal quality - Using ADSL splitters and filters for redundancy. |
Man-in-the-Middle (MitM) Attack | FTTC connections can be vulnerable to MitM attacks, where an attacker intercepts and potentially alters the communication between two parties. | - Use strong encryption (e.g., TLS). - Use VPNs to secure connections over public networks. |
Physical Cabinet Security | Street cabinets used in FTTC can be physically accessed and tampered with, allowing attackers to disrupt services or intercept data. | - Independently inspect cabinets or ask broadband provider to check. |
Fibre-to-the-Premises (FTTP)
Full-fibre or FTTP broadband is the most performant type of connection available, as it relies on light-speed data transmission from your provider’s servers to your premises. While it supports the latest cybersecurity methods and technologies, fibre optic cables are not infallible against tampering or signal jamming, and their high performance can be a curse if it is used against you:
Weakness | Description | Security Considerations |
---|---|---|
High Bandwidth Exploitation | High bandwidth can be exploited for data theft or DDoS attacks | Implement DDoS protection, monitor network traffic, use rate limiting |
Line Tapping and Signal Jamming | Physical tapping/jamming of fibre-optics is harder than copper cables. It requires specialised equipment to 'split' the light signals or 'bend' the cables to intercept/jam the signal. | - Tamper-evident enclosures. - Regular cable inspection. - Use fibre intrusion detection - Secure installation and maintenance practices. |
Exploitation of large data volumes | High-speed FTTP connections can carry large volumes of sensitive data, increasing the speed a volume of a successful attack. | - Encrypt data at rest and in transit. - Implement strict access controls and authentication. - Regularly audit and monitor data access and transmission logs. |
Cable broadband
Cable broadband (offered by Virgin Media), uses coaxial cables to deliver superfast broadband. Despite its high performance, it suffers from other attack vectors due to its shared medium architecture:
Weakness | Description | Security Considerations |
---|---|---|
Coaxial Cable Signal Interception | Coaxial cables can be tapped more easily than fibre optics due to the nature of the electromagnetic signals used. | - Strong encryption - Regular inspection and maintenance of physical cabling. - Intrusion detection systems for monitoring. |
Signal Leakage | Coaxial cables can experience signal leakage, which makes eavesdropping much easier. | - Ensure proper shielding of coaxial cables and use high-quality connectors and cabling. - Conduct periodic testing for signal leakage. |
Router and Modem Vulnerabilities | Cable broadband relies on routers and modems which will have lessened support over time, as fibre is a more scalable technology which received more development focus. | - Ensure regular firmware and software updates - Use devices from reputable manufacturers. - Disable unused services and ports to reduce the attack surface. |
Bandwidth Allocation and QoS Exploits | Cable's shared medium architecture makes it more vulnerable to the manipulation of Quality of Service (QoS) settings, allowing attackers to prioritise their own traffic and potentially dely service to legitimate users. | - Secure QoS settings. - Monitor network traffic for signs of QoS manipulation. - Implement rate limiting to prevent bandwidth hogging by any single user. |
Mobile broadband
Mobile business broadband that uses 5G and other cellular networks is vital for safe remote working. It ensures your employees have their own network when travelling, avoiding public Guest WiFi and other security pitfalls. However, wireless cellular networks are not infallible, and the portability of mobile devices also increases their vulnerability. Here are mobile-specific risks and how to avoid them:
Weakness | Description | Security Considerations |
---|---|---|
Cellular Network Tapping and Jamming | Mobile broadband relies on cellular networks, which can be vulnerable to attacks like SIM jacking, fake base stations (IMSI catchers), and man-in-the-middle (MitM) attacks. These exploits can intercept, alter, or block communications. | - Using strong mobile data encryption (e.g. LTE-A; 5G standards). - Multi-factor authentication (MFA) to protect physical SIM cards. - Implementation of E-SIMs. |
Device Vulnerabilities | Mobile devices can be targets for malware, phishing, and other cyber attacks, compromising the security of mobile broadband connections. Their sheer number and variety make the attack surfaces larger. | - Ensure devices are updated and patched. - Implement device management solutions. - Implement Zero-Trust security. |
Public Wi-Fi Risks | Users of portable mobile broadband can accidentally connect to public Wi-Fi networks by accident, which can be insecure and susceptible to various attacks. | - Set devices to only connect to mobile broadband WiFi network and disable unknown networks. - Encourage VPNs for public Wi-Fi networks if no other choice. |
Physical Device Security | Portable routers and mobile devices are prone to loss or theft, which can lead to unauthorised access to sensitive information and mobile broadband services. | - Use strong, unique passwords and/or biometric authentication. - Enable remote wipe capabilities - Regularly back up data to cloud services to prevent data loss. |
Satellite broadband
Performant LEO satellite broadband is a brand-new technology enabled by trailblazers like Starlink and OneWeb. Issues with satellite cybersecurity are more common in Hollywood blockbusters than something the average business needs to be concerned about.
Nevertheless, businesses should remain vigilant and implement general cybersecurity practices. Examples include keeping all hardware updated and secure from internal threats, implementing Guest WiFi, and using zero-trust network access.
Leased line broadband
Leased line broadband is the most performant and (arguably) most secure type of connection. Your business premises get dedicated fibre-optic cables and bandwidth in that segment and within the public fibre domain. There is, therefore, no risk from medium sharing, wireless signal interception, etc:
Weakness | Description | Security Considerations |
---|---|---|
Data transmission tampering, interception or interruption | Leased lines involve dedicated physical fibre connections that can be tampered with or tapped in the same way as FTTP. | - Secure enclosures and regular inspections. - Tamper-evident seals and secure installation practices. - Physical monitoring and alarms to detect tampering. - Use strong encryption. |
Lack of Redundancy | These dedicated connections may result in a false sense of performance security and negate redundancy as a safety mechanism. | - Implement broadband redundancy (a backup connection; could be another leased line, satellite or mobile broadband, etc). |
Broadband cybersecurity compliance with the Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018) is the UK’s implementation of the General Data Protection Regulation (GDPR), which sets high standards for personal data protection. While it primarily focuses on businesses and organisations handling personal data, it may also affect business broadband providers and other third parties involved in data transmission if there is a data breach in their infrastructure.
DPA 2018 requirements for broadband cybersecurity
Articles 32, 33 and 34 of the GDPR are relevant here:
- Article 32: Requires appropriate technical and organisational measures to protect any personal data handled. This includes measures like encryption, robust authentication methods, integrity and availability.
- Articles 33 & 34: Requires prompt notification of personal data breaches to supervisory authorities and affected individuals.
This means businesses are responsible for covering all cybersecurity essentials, ensuring their networks are safe, and appropriately encrypting any data sent outside this network. This includes setting up network monitoring and alert systems to ensure any breach is caught early and appropriately reported.
Compliance responsibilities of businesses vs broadband providers
While most cybersecurity threats target internal networks, a broadband-related breach usually involves the intersection between organisations, broadband providers and infrastructure providers such as Openreach and KCOM.
Take a successful router attack, for example. A business could be responsible if it didn’t update the router firmware promptly, or the broadband provider could be responsible for a zero-day exploit on a low-quality router. In any case, whoever notices first must report the breach promptly.
Ultimately, the Service Level Agreement (SLA) defines the cybersecurity responsibilities of each party. In general, the duties are as follows:
Infrastructure Providers (Openreach, KCOM) | Broadband Providers (BT, Virgin) | Businesses (End-Users) |
---|---|---|
Maintain and secure physical infrastructure such as cabinets and cables, and ensure service availability and operational integrity. | Deliver and maintain broadband services, including measures like firewalls, and in-transit encryption. | Secure internal network with firewalls, anti-malware, threat monitoring and detection, strong authentification, VPNs, etc. |
Business broadband cybersecurity – FAQs
Our business broadband experts answer commonly asked questions on business broadband cybersecurity in the UK.
Are there any real-life examples of business broadband vulnerabilities?
There certainly have. One recent example was published by the BBC in 2021, in which six million Sky business broadband routers had a critical bug that would have let attackers take over entire networks.
Researchers found the vulnerability existed for 18 months before Sky engineers addressed it, highlighting the essential need for threat detection systems. No matter how good your defences are, there may always be a vulnerability you’re unaware of!
Are there all-in-one business cybersecurity solutions?
The closest you will get to an absolute solution is acquiring cloud-based, dedicated cybersecurity software. It typically includes real-time network monitoring, regular updates, and even audits to ensure you are in compliance with regulations and the latest cyber security.
Unfortunately, an all-in-one solution is impossible, as humans are integral to the cybersecurity puzzle. In other words, the software cannot remind you to train your employees against phishing scams, password generation and even multi-factor authentification.