Your firewall and VPN are the front door: attacks target what you expose to the internet
18 July 2026 · 7 min read · INTO MSP team
When a business owner pictures a cyberattack, they usually imagine an email scam: a fake invoice, a phishing link, an employee who clicks. That risk is real, and we have written about it. But the mental picture is incomplete. A growing share of serious breaches never starts with a person at all. It starts with devices and servers that are visible from the internet and that nobody maintains on a schedule.
The attacker in this story does not choose your company. They scan the entire internet, automatically, around the clock, looking for equipment with known vulnerabilities. When they get a hit, it makes no difference whether it belongs to a bank or an accounting firm with eight employees. The target is not you. The target is anything that faces the internet and is behind on patches.
What "exposed to the internet" actually means
Any service you can reach from home without extra protection is visible to an attacker too. In a typical small or midsize business that includes:
- A firewall or router with its management interface reachable from outside
- VPN access for remote work
- A mail server or an aging file server in the office
- Internal applications opened to the internet "temporarily" and left that way
- Cameras, printers and NAS devices with a public address
Each of these is an entry point. Not a theoretical one at some future date, but an address that automated scanners walk past every single day.
The irony: security devices as the point of entry
The most uncomfortable truth of recent years is that serious intrusions often happen through the very equipment bought for protection. Firewalls and VPN gateways are exposed to the internet by design, and when a vulnerability is found in them, attackers exploit it faster than most companies manage to install the fix.
We are watching this play out right now. Microsoft has released a patch for a critical SharePoint Server vulnerability, tracked as CVE-2026-58644 with a CVSS score of 9.8, which allows an attacker to execute their own code on the server. The US cybersecurity agency CISA confirmed the flaw is being actively exploited against internet-facing SharePoint instances and ordered federal agencies to patch on a deadline of days, with similar deadlines set for two critical Fortinet vulnerabilities. Researchers are meanwhile warning about databases of stolen VPN credentials circulating among attackers.
The lesson from these stories is not "SharePoint is bad" or "Fortinet is bad". The lesson is that vulnerabilities in exposed equipment appear constantly, across every vendor, and what decides the outcome is not which device you own but how quickly patches land and whether you even know what you have exposed.
Why small businesses fall furthest behind here
Large organizations have teams that track security advisories and patching deadlines. Even so, regulators still have to impose deadlines on them. A small business has nobody watching at all. The firewall was configured three years ago, it "works", and nobody touches it. The VPN was set up by a former administrator. The old server in the corner runs one application the business cannot live without, on an operating system that stopped receiving updates long ago.
That produces the most dangerous combination there is: a device exposed to the internet, with a known vulnerability, and nobody aware the vulnerability exists. For that kind of entry the attacker needs no phishing email and no cooperation from an employee. They need a scanner and patience, and they have plenty of both.
How this door gets closed
The good news is that this is a matter of discipline, not budget. The steps are well known and achievable for any company:
- Exposure inventory: an exact list of everything in your network that is visible from the internet. Without it, everything else is guesswork.
- Switch off what is not needed: services that do not have to be public move behind the VPN or get disabled. The safest entrance is the one that does not exist.
- Patching on a deadline: fixes for exposed devices do not wait for a quiet week. Critical updates get a deadline in days, not months.
- MFA on everything reachable from outside: VPN and admin access without a second identity check is an open door, because stolen passwords are already in circulation.
- Replace unsupported equipment: a device that no longer receives vendor updates must not stay exposed to the internet, no matter how well it "still works".
- External scanning and monitoring: a periodic check from the attacker's point of view, plus monitoring that raises an alert when something changes.
This is ongoing work, not a one-time project
An exposure inventory from last year is worth little if someone has since opened a new port "just for a moment". A patch installed today does not cover the vulnerability published next month. So this is not a project with a start and an end. It is a process: monitoring, vendor advisories, patching deadlines and documented ownership, so it is always clear who does what and by when.
That is exactly the difference between IT support that answers the phone when something breaks and a managed IT system. In the first model you learn about a vulnerability once someone has exploited it. In the second, the patch is installed before your company ever became interesting to anyone. If you do not know what is currently visible from your network on the internet, that is the first question to ask, yourself or us.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Security → Contact