Most business owners have a firewall. Their IT provider told them that when they signed on. It’s sitting in the closet or mounted in the server room, lights blinking, doing its thing.
But here’s the question almost nobody asks: who’s actually watching it right now?
Not “who installed it.” Not “who set it up two years ago.” Who is actively monitoring it today for threats that didn’t exist last month? Who checked the rules this quarter? Who knows whether the firmware is current?
If you don’t know the answer, you’re in the majority. That’s the problem.
Rules Accumulate. Nobody Cleans Them Up.
A firewall filters traffic based on rules. Simple enough. But those rules don’t stay clean on their own.
Your business changes. New software gets deployed. Employees work from new locations. Vendors need temporary access. Cloud services come online. Every change can require a firewall rule adjustment.
And here’s what most business owners never think about: old rules stick around. Temporary access that was supposed to last a week becomes permanent because nobody removed it. Rules contradict each other. Security analysts call these “zombie rules” or “shadow rules,” and they’re on every firewall that hasn’t been audited recently.
A 2025 analysis by Serma Safety and Security found that firewall rule audits, the one exercise that catches these problems, are “far too often pushed aside, seen as tedious or even pointless.” The result is rules piling up, contradicting each other, or sitting there obsolete. Each one is an open door that nobody’s watching.
The Spending Gap
Businesses are spending more on firewalls than ever. The global next-generation firewall market is projected to reach $5.9 billion in 2026, growing at 9.0% annually, according to Coherent Market Insights. The small business firewall market alone is expected to grow from $2.49 billion in 2025 to $5.75 billion by 2035, according to WiseGuyReports.
But buying the box is half the equation. The other half is management. Configuration. Monitoring. Updates. Audits. A firewall that isn’t managed is a firewall that isn’t protecting you.
The numbers bear that out. Verizon’s 2025 Data Breach Investigations Report analyzed over 22,000 security incidents and 12,195 confirmed breaches across 139 countries. Ransomware showed up in 88% of breaches affecting small businesses, compared to 39% at larger organizations. The Identity Theft Resource Center’s 2025 Business Impact Report found that 81% of small businesses suffered a security breach, data breach, or both in the past 12 months. Among those victims, 62.5% reported total financial impact above $250,000.
The median ransom payment was $115,000. The global average cost of a data breach hit $4.44 million in 2025, according to IBM’s Cost of a Data Breach Report.
For a small business, one of those incidents can exceed your entire annual security budget. Some don’t recover.
What Active Management Looks Like
FireMon, a network security management firm, defines firewall monitoring as “the continuous process of tracking, analyzing, and managing all network traffic passing through a firewall to ensure optimal network security.” Not periodic. Not quarterly. Continuous.
Here’s what that includes in practice:
Traffic and performance metrics. Someone should be watching real-time traffic to spot abnormalities. Not just when something breaks. All the time.
Security events and alerts. When the firewall catches something suspicious, someone needs to see that alert and respond. Not tomorrow. Not next week.
Rule configuration tracking. Every change to your firewall rules should be logged. Who changed it, when, and why. Without that traceability, you can’t investigate incidents, and you can’t maintain compliance.
Software updates and patches. Firewall vendors release updates to close security gaps. If your firewall firmware is six months old, you’re running with known vulnerabilities. Attackers know this.
Regular rule audits. Serma recommends quarterly, semi-annual, or at minimum annual audits of all firewall rules. The goal is to identify obsolete rules, remove unused access, and make sure nothing contradicts good security policy.
Default deny posture. Block everything by default. Only permit pre-approved, trusted traffic. This single principle minimizes your attack surface more than almost anything else.
If your IT provider isn’t doing these things, your firewall is a box with blinking lights and a false sense of security.
The Compliance Angle
If you’re in healthcare, finance, or any industry that handles sensitive data, firewall management isn’t optional. HIPAA, PCI DSS, GDPR, and other regulatory standards require documented, regularly updated security policies and access controls.
HIPAA violations can carry fines of $100 to $25,000 per record exposed. Repeated non-compliance can trigger legal action. Those fines don’t include the cost of breach notification, remediation, or the customers who leave because you lost their data.
A well-managed firewall generates the documentation auditors want to see. A neglected one generates the kind of incident report nobody wants to write.
Five Questions That Tell You Where You Stand
You don’t need to become a firewall expert. You just need five questions. Ask your IT provider these and pay attention to the answers.
1. When was the last time you audited our firewall rules?
If the answer is “we set it up when we onboarded you” or “we check it when something breaks,” that’s not management. That’s neglect.
2. How do you monitor our firewall for threats?
You want to hear about continuous monitoring, real-time alerts, and a defined response process. Not “we get notified if something major happens.”
3. When was the last firmware or software update applied?
If it’s been more than 90 days, ask why. Firewall vendors release patches regularly. Running outdated firmware is a known vulnerability.
4. Can you show me our current firewall rule set and explain each active rule?
A competent provider can walk you through every rule, explain why it exists, and identify which ones are temporary. If they can’t, that should tell you everything you need to know.
5. What’s your process for documenting rule changes?
Every change should have a unique identifier, an owner, a justification, and a timestamp. If there’s no change log, there’s no accountability.
Ask the Questions
Your firewall is one of the most important security devices in your business. But it only works if someone is actively managing it. Rules need auditing. Firmware needs updating. Alerts need responding to. Traffic needs monitoring.
The provider who installs the firewall and walks away is the cheap one. The provider who treats it as a living part of your security posture, something that needs constant attention as your business and the threats against it change, is the one worth paying for.
Ask the five questions above. If your provider can’t answer them clearly, find one who can.
This post is based on Chapter 6 of “Near Miss: Preventable IT Failures Threatening Your Business Security” by Brent Lacy. The book covers 11 common IT failures that put businesses at risk and what to do about them. Get the book on Amazon.
