Despite having modern systems in place, the client’s setup included several high-risk oversights. Their legacy VPN gateway was still active and vulnerable to CVE-2019-11510, a critical flaw known for allowing remote code execution. At the same time, weak password policies and active legacy authentication protocols meant attackers could easily gain a foothold through brute-force attempts. Azure AD was in use, but key security features like Conditional Access weren’t configured, and remote access protocols like IMAP and POP3 remained unnecessarily enabled. These issues quietly undermined the organisation’s security, increasing the chance of compromised credentials and unauthorised access.
To reduce these risks, Secure State recommended a complete shutdown of the vulnerable VPN appliance, replacing it with a modern Azure AD-integrated solution that enforced multi-factor authentication across the board. Company-wide password policies were strengthened with a 12-character minimum and added complexity requirements. Legacy authentication protocols were removed, and Microsoft 365 was hardened with MFA for all users.
Behind the scenes, Active Directory permissions were cleaned up to remove excessive access, while host-based firewall rules helped restrict lateral movement inside the network. A dark web monitoring solution was also introduced to detect any credential exposures, and new internal runbooks were created to help the IT team identify and respond to future threats with confidence. Staff received hands-on training to ensure the new processes were well understood and embedded into everyday operations.
The engagement gave the client the insight and support needed to move from reactive fixes to a more proactive security posture. By closing off high-risk vulnerabilities and aligning internal processes with best practice, the organisation now operates with stronger protections in place and greater leadership visibility into cyber risk. With tighter governance, improved access controls, and a better-trained internal team, the firm can confidently protect its clients, systems, and data, today and into the future.
Reach out to chat about your goals, challenges, or just to get a fresh perspective on your IT. Our team is ready to listen.
