The Box in Your Comms Cupboard: Why Your Firewall and VPN Are Now Prime Targets
Edge devices — firewalls, routers and VPN gateways — are now a primary way attackers get into Australian SMEs. The fix is unglamorous: patch, replace, and turn off what you don't use.
Most small businesses can tell you who supplies their internet and roughly where the modem lives. Far fewer can tell you the last time the firewall or VPN was patched, or whether the remote-access box humming away in the comms cupboard is still supported by its manufacturer. That gap matters more than it used to. The Australian Signals Directorate's Annual Cyber Threat Report 2024–25, released in October 2025, named "replace legacy technology" as one of just four critical actions it wants every Australian organisation to take — and the technology it is most worried about sits right at the edge of your network.
Why attackers moved to the perimeter
"Edge devices" is the catch-all term for the equipment that sits between your office and the internet: firewalls, routers, VPN gateways, and any internet-facing server. In February 2025 the ASD's Australian Cyber Security Centre, New Zealand's National Cyber Security Centre and their Five Eyes partners issued joint guidance warning of an increase in targeted attacks on exactly these devices. The logic is simple. A firewall or VPN gateway is reachable from anywhere in the world by design, it often holds credentials and decrypts traffic, and — unlike a laptop — it tends to be installed once and forgotten. Compromise one and you are already inside the perimeter, with no phishing email required.
This is a meaningful shift for smaller organisations. For years the standard advice focused on the human layer: train staff, turn on multi-factor authentication, watch for dodgy invoices. That advice still holds. But an unpatched VPN appliance can be exploited without anyone in your business clicking anything at all, which makes it a different kind of problem to manage.
The cost is no longer abstract
The financial picture from the ASD report should sharpen the mind. Across FY2024–25 the agency received more than 84,700 cybercrime reports — one every six minutes — and responded to over 1,200 incidents, an 11 per cent increase on the previous year. For small businesses, the average self-reported cost of cybercrime per report rose 14 per cent to $56,600. For medium businesses it reached $97,200. Those are averages, not worst cases, and they do not capture the days of downtime, the awkward calls to clients, or the scramble to work out what data walked out the door.
Email compromise and identity fraud still top the list of reported business cybercrimes, but the edge-device problem is what often makes those incidents possible in the first place. An attacker who controls your gateway can read traffic, harvest logins, and move quietly between systems. The entry point and the headline loss are rarely the same thing.
Three checks for the gear at your network edge
First, list every internet-facing device — firewall, router, VPN concentrator, NAS, anything with a public IP — and find out whether each is still supported by its vendor. Anything past end-of-life should be on a replacement plan now, not next budget cycle. Second, confirm someone owns patching for each device and applies security updates within days of release, not months. Third, switch off remote-access and admin features you don't actively use, and put multi-factor authentication on the ones you keep. If you use a managed service provider, ask them to put this in writing.
What practical action looks like for an SME
You do not need an enterprise security team to act on this. The ASD's practitioner guidance on edge devices is vendor-agnostic and the principles scale down cleanly. Knowing what you own is the foundation — you cannot protect a forgotten device, and most businesses are carrying at least one box nobody remembers buying. From there, the priorities are keeping firmware current, removing equipment the manufacturer no longer supports, and disabling internet-facing management interfaces that exist only because they were on by default.
Logging deserves a particular mention, because it is the action SMEs most often skip. The ASD lists best-practice event logging alongside legacy replacement in its top four actions for a reason: if an edge device is compromised, the logs are frequently the only way to discover it and to work out the blast radius afterwards. Many firewalls and VPN appliances can forward logs somewhere safe with an afternoon's configuration. Without that, an intrusion at the perimeter can run undetected for months.
When you next buy or renew network equipment, treat security support as a selection criterion rather than an afterthought. The ASD's guidance to "choose products and services that are secure by design" applies as much to a $1,500 firewall as to a government data centre — ask how long the vendor will ship security patches, and whether logging is included or locked behind a higher tier.
None of this is glamorous, and that is rather the point. The edge of your network is the least visible part of your IT and, increasingly, the part attackers probe first. A short inventory, an honest look at what is past its use-by date, and a patching routine someone actually owns will put most small businesses well ahead of where the threat reports say the average organisation sits today.