Christian M. 7 min read

Business broadband cybersecurity

When businesses think about cybersecurity, they think of strong passwords, multi-factor authentication, and using VPNs for network access.

These are valid solutions, but few consider the security of their broadband connection itself. Malicious attackers may intercept and steal your data or disrupt your operations through broadband components!

This article covers the cybersecurity of your business broadband network: the threats, the protections and the solutions.

💡 Key takeaways:

  • No infallible broadband: Even a dedicated fibre optics cable is hackable. Every single broadband option has vulnerabilities.
  • ADSL is most vulnerable: While the overall vulnerabilities depend more on the business’s overall cybersecurity strategy, ADSL’s slow speeds, electrical signals, and reduced support for hardware make it the easiest to attack or spy on.
  • Regulations: The Service Level Agreement details the regulatory boundary between your business’s and your provider’s cybersecurity responsibilities in case of a broadband cyberattack.

Contents


General business broadband cybersecurity

All broadband networks have standard cybersecurity features to help keep them safe. These are not technology-specific and are designed to secure incoming and outgoing traffic, as well as monitor the internal network in case of a successful business cyberattack.

The following table gives some examples, including how they relate to the real-world security of a typical bricks-and-mortar business:

General measuresDescription
FirewallDoor guards: Essential for blocking unauthorised access and controlling incoming and outgoing network traffic.
Intrusion Detection System (IDS)Security monitors: Monitors network traffic for suspicious activity and potential threats.
Intrusion Prevention System (IPS)Perimeter barbed wire: Actively blocks detected threats based on pre-defined security policies.
Secure Wi-Fi ConfigurationInternal door locks: Using strong encryption methods (WPA3), disabling WPS, and changing default router passwords.
Virtual Private Network (VPN)Bullet-proof car: Encrypts internet traffic, providing a secure connection over public networks.
Regular Firmware UpdatesRegular security upgrade: Ensures that the router has the latest security patches to protect against vulnerabilities.
Network SegmentationSafe for valuables: Divides the network into segments to limit the spread of breaches and enhance security.
Physical SecurityNational police: Protects routers and networking equipment from physical tampering or theft.
EncryptionHiding the keys under a mat: Encrypts data in transit to prevent interception by unauthorised parties.
Secure Router ManagementSafe keybox: Access to the router's management interface should be secured with strong passwords and, if possible, multi-factor authentication.

Broadband cybersecurity weaknesses

All broadband technologies have standard security features because they have common weaknesses.

WeaknessDescription
TamperingAll signals, even in wired connections, can be intercepted. If unencrypted, it can lead to potential information leakage.
JammingAll signals, both wired and wireless, can be jammed to disrupt the connection to a business.
RoutersAll connections have routers acting as the first line of defense, but also as an exposed attack surface.
Low Bandwidth BroadbandSlower connections are more vulnerable to DDoS attacks that can quickly overwhelm the bandwidth. They also cannot support advanced real-time monitoring and threat detection, which require substantial bandwidth.
High Bandwidth BroadbandThe fastest connections can support the most advanced cybersecurity methods and technologies, but if an attack occurs, sensitive information can be leaked more quickly.

Specific business broadband cybersecurity

Every broadband technology has its specific weaknesses based on its design. This section covers the specific shortfalls of each standard broadband technology and what measures your business must take to remain secure.

ADSL broadband

ADSL broadband is now considered a legacy technology in the UK. While still in use in existing business broadband contracts, renewing or acquiring an ADSL service is no longer possible. In fact, by January 2027, all ADSL connections will be phased out as part of the “Big Switch Off“.

Remaining ADSL connections need to be weary that it is one of the most vulnerable technologies due to its lack of bandwidth, lessened firmware support, outdated hardware and the more manageable disruption and interception of its electrical signals.

Here are some details on these risks, as well as things your business can do to mitigate them:

WeaknessDescriptionSecurity Considerations
Line TappingPhysical tapping of ADSL copper wires to intercept data transmissions- Ensuring strong encryption (e.g. https)
- Inspecting cabling for any tapping devices.
- Implementing Intrusion Detection Systems (IDS).
Limited Bandwidth for MonitoringADSL is slow and often can't handle the additional bandwidth needs of real-time monitoring tools.- Use basic monitoring tools
- Upgrading to fibre optics.
DSL Signal InterferenceElectrical signals travelling through copper wires can be easily disrupted using magnetic fields.- Use cable shielding to reduce interference.
- Monitoring signal quality
- Using ADSL splitters and filters for redundancy.
Outdated AuthenticationAs an outdated technology, many ADSL routers come with outdated security features (e.g. weak default passwords, No 2FA, no updates support).- Purchasing a modern ADSL router
- Upgrading to fibre-optics
- Changing default passwords and enabling 2FA.
- Updating router firmware (if available)
- Disabling unused routers and services without firmware updates.
DDoS While all technologies are vulnerable, ADSL-hosted services have low bandwidth, making them easier to overhwhelm.- Upgrade to a higher bandwidth connection.

The general advice is to upgrade to a more performant type of broadband that can support advanced threat protection and the latest hardware and firmware.

Fibre-to-the-Cabinet (FTTC)

FTTC broadband is a part-copper wire, part-fibre optic connection that leverages the ubiquity of telephony cables with the speed of fibre. It remains relevant in underserved areas like rural zones where full-fibre (FTTP) may remain unavailable. Read our FTTP vs FTTC article to understand the differences.

FTTC inherits many of the vulnerabilities of ADSL because the section between the premises and the street cabinet is still covered in copper wires and has new ones related to the telephony-fibre intersection:

WeaknessDescriptionSecurity Considerations
Line TappingPhysical tapping of copper wires to intercept data transmissions- Ensuring strong encryption (e.g. https)
- Inspecting cabling for any tapping devices.
- Implementing Intrusion Detection Systems (IDS).
DSL Signal InterferenceElectrical signals travelling through copper wires can be easily disrupted using magnetic fields.- Use cable shielding to reduce interference.
- Monitoring signal quality
- Using ADSL splitters and filters for redundancy.
Man-in-the-Middle (MitM) AttackFTTC connections can be vulnerable to MitM attacks, where an attacker intercepts and potentially alters the communication between two parties.- Use strong encryption (e.g., TLS).
- Use VPNs to secure connections over public networks.
Physical Cabinet SecurityStreet cabinets used in FTTC can be physically accessed and tampered with, allowing attackers to disrupt services or intercept data.- Independently inspect cabinets or ask broadband provider to check.

Fibre-to-the-Premises (FTTP)

Full-fibre or FTTP broadband is the most performant type of connection available, as it relies on light-speed data transmission from your provider’s servers to your premises. While it supports the latest cybersecurity methods and technologies, fibre optic cables are not infallible against tampering or signal jamming, and their high performance can be a curse if it is used against you:

WeaknessDescriptionSecurity Considerations
High Bandwidth ExploitationHigh bandwidth can be exploited for data theft or DDoS attacksImplement DDoS protection, monitor network traffic, use rate limiting
Line Tapping and Signal JammingPhysical tapping/jamming of fibre-optics is harder than copper cables. It requires specialised equipment to 'split' the light signals or 'bend' the cables to intercept/jam the signal.- Tamper-evident enclosures.
- Regular cable inspection.
- Use fibre intrusion detection
- Secure installation and maintenance practices.
Exploitation of large data volumesHigh-speed FTTP connections can carry large volumes of sensitive data, increasing the speed a volume of a successful attack.- Encrypt data at rest and in transit.
- Implement strict access controls and authentication.
- Regularly audit and monitor data access and transmission logs.

Cable broadband

Cable broadband (offered by Virgin Media), uses coaxial cables to deliver superfast broadband. Despite its high performance, it suffers from other attack vectors due to its shared medium architecture:

WeaknessDescriptionSecurity Considerations
Coaxial Cable Signal InterceptionCoaxial cables can be tapped more easily than fibre optics due to the nature of the electromagnetic signals used.- Strong encryption
- Regular inspection and maintenance of physical cabling.
- Intrusion detection systems for monitoring.
Signal LeakageCoaxial cables can experience signal leakage, which makes eavesdropping much easier.- Ensure proper shielding of coaxial cables and use high-quality connectors and cabling.
- Conduct periodic testing for signal leakage.
Router and Modem VulnerabilitiesCable broadband relies on routers and modems which will have lessened support over time, as fibre is a more scalable technology which received more development focus.- Ensure regular firmware and software updates
- Use devices from reputable manufacturers.
- Disable unused services and ports to reduce the attack surface.
Bandwidth Allocation and QoS ExploitsCable's shared medium architecture makes it more vulnerable to the manipulation of Quality of Service (QoS) settings, allowing attackers to prioritise their own traffic and potentially dely service to legitimate users.- Secure QoS settings.
- Monitor network traffic for signs of QoS manipulation.
- Implement rate limiting to prevent bandwidth hogging by any single user.

Mobile broadband

Mobile business broadband that uses 5G and other cellular networks is vital for safe remote working. It ensures your employees have their own network when travelling, avoiding public Guest WiFi and other security pitfalls. However, wireless cellular networks are not infallible, and the portability of mobile devices also increases their vulnerability. Here are mobile-specific risks and how to avoid them:

WeaknessDescriptionSecurity Considerations
Cellular Network Tapping and JammingMobile broadband relies on cellular networks, which can be vulnerable to attacks like SIM jacking, fake base stations (IMSI catchers), and man-in-the-middle (MitM) attacks. These exploits can intercept, alter, or block communications.- Using strong mobile data encryption (e.g. LTE-A; 5G standards).
- Multi-factor authentication (MFA) to protect physical SIM cards.
- Implementation of E-SIMs.
Device VulnerabilitiesMobile devices can be targets for malware, phishing, and other cyber attacks, compromising the security of mobile broadband connections. Their sheer number and variety make the attack surfaces larger.- Ensure devices are updated and patched.
- Implement device management solutions.
- Implement Zero-Trust security.
Public Wi-Fi RisksUsers of portable mobile broadband can accidentally connect to public Wi-Fi networks by accident, which can be insecure and susceptible to various attacks.- Set devices to only connect to mobile broadband WiFi network and disable unknown networks.
- Encourage VPNs for public Wi-Fi networks if no other choice.
Physical Device SecurityPortable routers and mobile devices are prone to loss or theft, which can lead to unauthorised access to sensitive information and mobile broadband services.- Use strong, unique passwords and/or biometric authentication.
- Enable remote wipe capabilities
- Regularly back up data to cloud services to prevent data loss.

Satellite broadband

Performant LEO satellite broadband is a brand-new technology enabled by trailblazers like Starlink and OneWeb. Issues with satellite cybersecurity are more common in Hollywood blockbusters than something the average business needs to be concerned about.

Nevertheless, businesses should remain vigilant and implement general cybersecurity practicesExamples include keeping all hardware updated and secure from internal threats, implementing Guest WiFi, and using zero-trust network access.

Leased line broadband

Leased line broadband is the most performant and (arguably) most secure type of connection. Your business premises get dedicated fibre-optic cables and bandwidth in that segment and within the public fibre domain. There is, therefore, no risk from medium sharing, wireless signal interception, etc:

WeaknessDescriptionSecurity Considerations
Data transmission tampering, interception or interruptionLeased lines involve dedicated physical fibre connections that can be tampered with or tapped in the same way as FTTP.- Secure enclosures and regular inspections.
- Tamper-evident seals and secure installation practices.
- Physical monitoring and alarms to detect tampering.
- Use strong encryption.
Lack of RedundancyThese dedicated connections may result in a false sense of performance security and negate redundancy as a safety mechanism.- Implement broadband redundancy (a backup connection; could be another leased line, satellite or mobile broadband, etc).

Broadband cybersecurity compliance with the Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) is the UK’s implementation of the General Data Protection Regulation (GDPR), which sets high standards for personal data protection. While it primarily focuses on businesses and organisations handling personal data, it may also affect business broadband providers and other third parties involved in data transmission if there is a data breach in their infrastructure.

DPA 2018 requirements for broadband cybersecurity

Articles 32, 33 and 34 of the GDPR are relevant here:

  • Article 32: Requires appropriate technical and organisational measures to protect any personal data handled. This includes measures like encryption, robust authentication methods, integrity and availability.
  • Articles 33 & 34: Requires prompt notification of personal data breaches to supervisory authorities and affected individuals.

This means businesses are responsible for covering all cybersecurity essentials, ensuring their networks are safe, and appropriately encrypting any data sent outside this network. This includes setting up network monitoring and alert systems to ensure any breach is caught early and appropriately reported.

Compliance responsibilities of businesses vs broadband providers

While most cybersecurity threats target internal networks, a broadband-related breach usually involves the intersection between organisations, broadband providers and infrastructure providers such as Openreach and KCOM.

Take a successful router attack, for example. A business could be responsible if it didn’t update the router firmware promptly, or the broadband provider could be responsible for a zero-day exploit on a low-quality router. In any case, whoever notices first must report the breach promptly.

Ultimately, the Service Level Agreement (SLA) defines the cybersecurity responsibilities of each party. In general, the duties are as follows:

Infrastructure Providers
(Openreach, KCOM)
Broadband Providers
(BT, Virgin)
Businesses
(End-Users)
Maintain and secure physical infrastructure such as cabinets and cables, and ensure service availability and operational integrity.Deliver and maintain broadband services, including measures like firewalls, and in-transit encryption.Secure internal network with firewalls, anti-malware, threat monitoring and detection, strong authentification, VPNs, etc.

Business broadband cybersecurity – FAQs

Our business broadband experts answer commonly asked questions on business broadband cybersecurity in the UK.

Are there any real-life examples of business broadband vulnerabilities?

There certainly have. One recent example was published by the BBC in 2021, in which six million Sky business broadband routers had a critical bug that would have let attackers take over entire networks.

Researchers found the vulnerability existed for 18 months before Sky engineers addressed it, highlighting the essential need for threat detection systems. No matter how good your defences are, there may always be a vulnerability you’re unaware of!

Are there all-in-one business cybersecurity solutions?

The closest you will get to an absolute solution is acquiring cloud-based, dedicated cybersecurity software. It typically includes real-time network monitoring, regular updates, and even audits to ensure you are in compliance with regulations and the latest cyber security.

Unfortunately, an all-in-one solution is impossible, as humans are integral to the cybersecurity puzzle. In other words, the software cannot remind you to train your employees against phishing scams, password generation and even multi-factor authentification.

Compare Business Broadband

Get the best deals from our experts

Related