I just got off the phone with an MSP owner. He was furious. And not in the “my espresso machine is broken” kind of way.
He was mad because we found stuff—real stuff—during a third-party security assessment of his client’s environment. Stuff he didn’t know was there. Stuff he thought had been handled.
In his mind? He’d done everything right.
He had the vulnerability scanner. Ran the reports. Closed the tickets. Green lights all the way down. But when we showed him the actual findings?
It wasn’t green. It was glowing red. Let me walk you through a few:
Finding #1: Global Admin as a Daily Driver
One of the users had been made Global Administrator. Not temporarily account. Not a break-glass-account for a one-time emergency. This was their daily login.
What could possibly go wrong? Let’s review: Users get phished. It happens all the time. When it does, and the compromised account has God Mode, the attacker doesn’t need to escalate privileges—they’ve already got the keys to the kingdom.
That’s not just a gap. That’s a runway for attackers.
Finding #2: Mystery EDR, Dead in the Water
Someone installed antivirus—excuse me, EDR if you want to sound fancy—on a workstation. Only one problem: It wasn’t the standard stack. And no one was maintaining it. So what do you get? An unpatched, outdated endpoint protection tool just sitting there like a baited bear trap. Not spring-loaded. Just… waiting.
Attack surface expansion, anyone? Outdated software with elevated privileges is how the bad guys win.
Finding #3: RDP to the World
And then we hit the grand finale: RDP open to the outside world on two devices. I’ll say that again for the folks in the back: Remote. Desktop. Protocol. Exposed. To. The. Internet.
Why not just email your passwords directly to Russia?
It turns out this change was made during a migration project—weeks ago. The team was moving fast, didn’t button things up, and just left the barn door swinging in the wind. Which begs the question: Are you baking security reviews into your project closeout? Because user acceptance testing is great, but attackers don’t care if the printer works—they care if RDP is open.
Here’s the Real Problem
This MSP had all the tools. Ran all the scans. Fixed all the vulnerabilities.
But he assumed that would automatically translate into a clean bill of health from a third-party assessment.
It didn’t. Not even close.
Why? Because tools don’t think like attackers. And your internal team? They don’t test like attackers either. They’ll miss things. They’ll leave blind spots. And worst of all, they’ll assume everything is fine—until a third party shows them it’s not.
The Takeaway
If you’re not getting a third-party assessment of your client environments at least every 90 days, and you’re not running external vulnerability scans at least monthly, you’re not just leaving risk on the table…
You’re handing it an engraved invitation. And for the love of all that is sacred in cybersecurity, don’t open RDP to the internet and call the job done.
Make post-project security analysis part of your checklist—right next to documentation and UAT. Because green checkmarks on a scan report are great for dashboards.
But attackers don’t care about your dashboards.
They care about your blind spots.
