In 2019, if you ran a business in rural northern Alberta, you had two real options for connectivity: a Telus copper DSL line that was probably good for 5 Mbps on a fair day, or a fixed-wireless service from one of the regional WISPs that did about the same. Both were expensive, both were slow, and both were oversold to the point of being unreliable at peak hours.
By 2024, Starlink had quietly become the primary connection for a large fraction of rural Alberta business. By 2026, it is the only serious option for many businesses, and the gap between Starlink and the alternatives is now wide enough that there is no real comparison.
This is genuinely good for productivity. It is genuinely problematic for cybersecurity in ways that most rural businesses haven't thought about. Here is what changes, and what to do about it.
What changed about the threat model
Traditional rural ISPs — Telus, the regional WISPs, the cable operators — typically provided some form of network-level filtering, DDoS mitigation, abuse handling, and a known-quantity routing path. They were not security products. They were not great. But they existed.
Starlink does not do any of this. Starlink's job is to deliver IP packets between your terminal and the public internet. Whether those packets carry malware, phishing emails, ransomware command-and-control traffic, or legitimate business communications is entirely between you and your endpoint security.
This is the cloud provider model — but at a small business. It is the same arrangement Amazon Web Services has with its customers. AWS does not filter the packets either. The customer is expected to handle that.
For a business that moved from a managed ISP service to Starlink without updating their security posture, this is a meaningful step down in baseline protection.
The three concrete issues
1. Loss of upstream filtering
The downstream effect of Starlink's “pure pipe” approach is that you now need to do at the edge what the ISP used to do upstream. Specifically:
- DDoS mitigation: non-existent at the Starlink layer. If a business gets targeted, the dish gets saturated. Mitigation has to happen at the application layer (Cloudflare, CDN-based protection) or via cloud-based scrubbing services.
- Abuse handling: if compromised devices on your network start sending spam or participating in a botnet, Starlink's abuse desk will eventually notice and may rate-limit or terminate service. The traditional ISP would typically contact you first.
- Phishing and content filtering at the gateway: typical rural businesses relied on whatever filtering their ISP provided. Starlink provides none.
The fix is to install network-level protection yourself. Practically: a properly-configured next-generation firewall (we deploy UniFi or Sophos for most SMB clients), DNS-level filtering via Cloudflare Zero Trust or Cisco Umbrella, and endpoint-level filtering via EDR.
2. CGNAT and inbound services
Starlink uses Carrier-Grade NAT (CGNAT) for residential and most small-business plans. The practical effect: you don't have a public IP address. Inbound connections from the internet to a device on your network don't work without explicit tunneling.
For most businesses this is fine — you are mostly making outbound connections to cloud services anyway. But it breaks specific use cases:
- On-premises servers that need to be reachable from outside (a self-hosted accounting server, a security camera DVR remote viewing, a legacy VPN endpoint)
- Some site-to-site VPNs between offices
- Some remote access tools that rely on direct port forwarding
The fix is to move these workloads to cloud-hosted equivalents (the right answer for almost every modern SMB), or to use a tunnel-based service like Cloudflare Tunnel, Tailscale, or ZeroTier that doesn't require inbound public-IP access.
3. Connection variability and the single-point-of-failure problem
Starlink works astonishingly well most of the time. It also goes down. Cold-weather degradation, satellite gaps in the constellation during certain hours, severe weather, terminal failures — all are real failure modes. We have measured uptime of 99.5–99.7% across rural Alberta deployments, which is good for residential and acceptable for many businesses, but a meaningful gap from the four-or-five-nines that enterprise expectations sometimes assume.
For business-critical workloads, single-link dependency is increasingly unacceptable. The fix is dual-link with automatic failover:
- Primary: Starlink (high bandwidth, low cost per GB)
- Secondary: LTE/5G modem from one of the major Canadian carriers (lower bandwidth, higher cost per GB, dramatically different failure correlation)
A simple SD-WAN router (UniFi Dream Machine, Peplink, or similar) can manage failover automatically. When Starlink degrades, traffic shifts to LTE within seconds. When Starlink recovers, traffic shifts back. The business stays online through almost every failure mode that matters.
Monthly cost: typically $50–150 for the LTE backup line, depending on data plan and carrier. For a business that depends on connectivity, this is the cheapest insurance available.
The defensible baseline for Starlink-connected rural SMBs
We deploy roughly this stack for clients whose primary connectivity is Starlink:
| Layer | Component | Purpose |
|---|---|---|
| Edge | UniFi or Sophos firewall | NGFW with IPS, geo-blocking, content filtering |
| DNS | Cloudflare Zero Trust DNS | Phishing/malware filtering at the DNS layer |
| Failover | LTE/5G modem on UniFi Dream Machine | Automatic backup connectivity |
| Endpoint | Huntress EDR | Process-level protection independent of network |
| Cloud | Microsoft Defender for Office 365 | Email + SaaS protection |
| Backup | Cove or Datto | Cloud + local backup with bandwidth-aware scheduling |
This stack costs roughly $150-400/month for a typical 10–30 seat business, depending on tier and tooling choices. It restores the layered defense that traditional ISP-managed connections provided, plus a fair amount more.
What about residential Starlink plans?
Many small businesses run on Starlink residential plans because they're cheaper and were the only option when they first signed up. Starlink's terms of service technically restrict business use, and the Starlink Business plans offer better throughput, priority access during congestion, and a static IP option that eliminates CGNAT for inbound services.
For genuinely business-critical use, Starlink Business is worth the price difference. For lifestyle businesses or owner-operated outfits, residential is usually fine — just understand the CGNAT and ToS implications.
What to do this week
If you run a business on Starlink:
- Verify whether you have business-grade edge protection. If your router is a stock Starlink mesh node, you do not. The Starlink router is a consumer-grade device.
- Set up DNS-level filtering. Cloudflare Zero Trust has a free tier that's sufficient for most SMBs. Point your router's DNS to it.
- Plan for connectivity failover. Even if you don't implement it immediately, know what you would do during a multi-hour Starlink outage.
- Document your connectivity architecture. Your cyber-insurance carrier will eventually ask.
How we help
Peace Country Cyber deploys, manages, and monitors this stack for rural Alberta clients as part of our Cyber Essentials + Managed IT tier. Network architecture review and firewall deployment are common project engagements at $500/site plus hardware passthrough.
The era when rural SMBs could ignore network security because the ISP handled it is over. Starlink's arrival changed the connectivity landscape — and the security landscape with it.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →