Get Started!
Schedule an Appointment

You've Been Paying for Security That Doesn't Exist

How one client discovered their "managed" network had never been managed at all, and what we found when we opened the hood.

borkedpc-vendor-takeover-graphic

We got the call like we get most calls: a business owner who'd heard enough about cybersecurity risks to be nervous, but not enough from their current vendor to feel confident.

They wanted a second opinion.

What we found wasn't a gap. It was a void.

What "Managed" Is Supposed to Mean

When a business hires a managed IT or network services provider, the implicit promise is simple: a trained professional is actively watching, configuring, and hardening the technology that protects your business. You pay a monthly fee. They handle the complexity. You sleep at night.

That's the deal.

But a contract and an invoice are not the same as work being done. And in this case, the gap between what this client was paying for and what they were actually getting was staggering.

What We Found When We Took Over

When our team began the transition, reviewing and documenting the client's full network environment, we encountered something that stopped us cold.

Nearly everything was running on factory default settings.

Not "mostly configured with a few gaps." Default. Out-of-the-box. The same settings the equipment shipped with, untouched.

Here's what that means in practice:

Default credentials still active. The administrative login information for the networking equipment was the same username and password that comes printed in the manufacturer's documentation, documentation that's publicly available online. Anyone who knew the make and model of the device could have logged in.

Remote access left wide open. Management interfaces that should be restricted to internal, trusted connections were exposed to the public internet. There was no rule preventing an outside actor from attempting to connect and authenticate. The door wasn't just unlocked. It was propped open with a sign.

No network segmentation. All devices, employee workstations, any guest or visitor connections, and business-critical systems, lived on the same flat network. If one device were compromised, an attacker would have unobstructed access to everything else. No walls. No checkpoints.

Firewall rules that weren't rules. The firewall was present. It was powered on. But its configuration hadn't been hardened beyond the manufacturer's baseline, which is designed for ease of setup, not security. "We have a firewall" is not the same as "our firewall is doing anything useful."

No logging. No alerting. There was no mechanism in place to detect unusual activity, failed authentication attempts, or unauthorized access. If something had happened, or had been happening for months, there would have been no record of it.

The Client Had No Idea

This is the part that matters most.

The client wasn't negligent. They weren't unsophisticated. They had hired a professional firm specifically to handle this. They were paying a monthly retainer. They had received no alerts, no reports, and no indication that anything was wrong.

Why would they think otherwise?

This is how vendor failures of this type go undetected for so long. There's no smoke. No visible fire. The business keeps running. The invoices keep going out. The problem isn't visible until someone who knows what to look for actually looks.

In this case, that someone was us. But only because the client decided to ask.

Why This Happens

We're not going to spend much time on this, because the explanation is less important than the lesson.

Some vendors oversell their capabilities and underdeliver on execution. Some use the right terminology in sales conversations and then rely on clients never verifying the work. Some simply do not have the technical depth to configure complex networking equipment correctly, and rather than admit it, they set it up and leave it.

The client has no visibility into any of this. That's the nature of outsourced technical work. You're trusting the vendor to do what they said they'd do.

That trust needs to be earned and verified.

What Verification Actually Looks Like

We're not suggesting every business owner become a network engineer. That's exactly why you hire people.

But there are reasonable questions any vendor should be able to answer, in plain language, with documentation:

"Can you show me the current firewall policy?" A managed vendor should be able to produce a document showing what traffic is allowed, what is blocked, and why.

"When did you last audit the configuration on our core networking equipment?" The answer should include a date, a scope, and findings. Not a vague reassurance.

"What would alert you if someone unauthorized tried to access our network?" There should be a specific, named answer. Not "we'd know."

"Are any management interfaces on our equipment exposed to the internet?" The correct answer is no. If your vendor doesn't immediately know, that's information.

"Can you pull the event logs from the last 30 days?" If logging isn't configured, there are no logs to pull. That answer tells you everything.

A legitimate provider will answer these questions without hesitation. They may need a few minutes to pull documentation, but the documentation exists, because the work was done.

If your vendor gets defensive, vague, or pivots to relationship language instead of technical answers, take note.

What We Did

Once we completed the transition and documented the full scope of what had been left undone, we got to work.

Credentials were replaced across every device. Management interfaces were locked down to internal access only, with strict controls on who could reach them and from where. Network segmentation was implemented, separating different classes of devices and users. Firewall policy was rebuilt from scratch, starting from a deny-all baseline and opening only what the business legitimately needed. Logging and alerting were configured so that anomalous behavior would surface, not sit silently in a system with no eyes on it.

None of this was exotic. It's standard practice. It's what should have been done when the equipment was first installed.

The client now has visibility into their environment that they've never had before. They receive regular reporting. They know what's in their network, how it's configured, and what would happen if something changed without authorization.

That's what managed actually means.

The Takeaway

Paying for managed security and having managed security are not the same thing.

The gap between them is invisible until it isn't.

If you haven't had an independent review of your network environment, you don't know which side of that gap you're on. Your current vendor may be doing excellent work. Or you may be in the same position this client was in: fully exposed, fully unaware, and paying for protection that exists only on an invoice.

The ask is simple: verify.

If you want a second set of eyes on your environment, no sales pitch, no pressure, we're happy to take a look. We'll tell you exactly what we find.

Borked PC is a cybersecurity and managed IT firm serving small and mid-sized businesses in Pennsylvania. We specialize in environments where the stakes are real and the complexity has been underestimated.

👉 New to Borked PC? Start by filling out our quick Right Fit Questionnaire to see if Borked PC could be the right IT and Cybersecurity Partner for you.

📞 Or schedule a free 15-minute call at a time that works for you: Book a call

Prefer to talk now? Give us a call at (610) 599-6195.

Schedule Appointment