A network penetration test is one of the fastest ways to find out whether your business is actually secure or just hoping for the best. It gives you a real-world view of how an attacker could move through your environment, what they could reach, and where your weakest points are. Northern Star positions penetration testing as a practical, ongoing way to uncover weaknesses, prioritise risk, and strengthen your wider security controls rather than relying on one-off point-in-time checks.
That matters because cyber risk in the UK is still very real. The UK government’s Cyber Security Breaches Survey 2025 found that 43% of businesses reported a cyber breach or attack in the previous 12 months, rising to 67% of medium businesses and 74% of large businesses. It also found that the average self-reported cost of the most disruptive breach was £1,600 per business, or £3,550 if you exclude organisations that reported no direct cost.
What a network pen test usually finds
A good pen test does not just list technical issues. It shows you how those issues connect. A forgotten remote access service, a reused admin password, and a flat internal network may look like 3 separate problems on paper, but together they can give an attacker a very easy path in.
Below are some of the most common network vulnerabilities pen tests uncover and the practical fixes that make the biggest difference.
1. Open ports and unnecessary exposed services
One of the first things testers often find is more internet-facing exposure than you expected. That might be RDP, VPN portals, admin consoles, file transfer services, old web interfaces, or test systems that were never removed.
The problem is not just that the service exists. It is that every exposed service increases your attack surface. If it is outdated, badly configured, or protected by weak login controls, it becomes an obvious place to start.
How to fix it:
- Remove anything that does not need to be public
- Restrict access by IP where possible
- Put admin interfaces behind VPN or zero trust access controls
- Review firewall rules regularly
- Decommission legacy systems instead of leaving them reachable “just in case”
The NCSC still treats firewalls and secure configuration as 2 of the core technical controls every organisation should get right, which tells you how often these basics still fail in practice.
2. Default, weak, or reused passwords
This is still everywhere. Pen tests regularly uncover default credentials on firewalls, switches, printers, NAS devices, Wi-Fi controllers, and internal admin tools. Even where defaults are gone, weak or reused passwords often remain.
Once a tester gets one valid set of credentials, they will try to reuse them elsewhere. If the same password works across multiple systems, your risk rises quickly.
How to fix it:
- Remove all default passwords immediately
- Enforce unique passwords for admin and service accounts
- Use a password manager
- Block common and previously breached passwords
- Separate admin accounts from day-to-day user accounts
The NCSC advises against predictable passwords and supports the use of password managers, while current Cyber Essentials requirements specifically call out default passwords and pre-enabled accounts as common weak points.
3. Missing MFA on remote access and admin accounts
A pen test will often reveal that a business has some MFA in place, but not where it matters most. For example, users may have MFA on Microsoft 365, but not on VPN, privileged accounts, RDP gateways, firewall administration, or third-party remote support tools.
That gap is exactly what attackers look for. If they steal a password through phishing, they will test it against remote access first.
How to fix it:
- Enforce MFA on all internet-facing services
- Prioritise privileged and administrative accounts
- Include VPN, email, cloud platforms, remote support, and firewall logins
- Prefer phishing-resistant MFA where possible
- Review legacy systems that cannot support MFA and put compensating controls around them
This lines up with NCSC guidance on stronger authentication and with Cyber Essentials requirements that now place even more weight on MFA for higher-risk access.
4. Poor patching and unsupported software
Unpatched operating systems, outdated firmware, and old network appliances are some of the easiest wins in a pen test. Attackers do not always need a sophisticated zero-day. Quite often, they use known vulnerabilities that have had fixes available for months.
This gets worse when older systems are left running because “they still work”. From a business point of view, that can feel economical. From a security point of view, it can be expensive very quickly.
How to fix it:
- Maintain a proper asset inventory
- Patch internet-facing systems first
- Apply firmware updates to firewalls, switches, and wireless kit
- Replace unsupported operating systems and end-of-life devices
- Build patching into a routine rather than treating it as a one-off project
The NCSC’s guidance is clear that exploiting known vulnerabilities remains a common route into organisations, and that vulnerability management has to be continuous.
5. Flat networks and weak segmentation
Many businesses still have networks where users, servers, printers, Wi-Fi, and sometimes even backup systems all sit too close together. A pen test may show that once someone lands on 1 device, they can move sideways far too easily.
That is how a small compromise turns into a serious incident. One infected laptop should not lead to domain-wide access.
How to fix it:
- Segment users, servers, guest Wi-Fi, VoIP, IoT, and backups
- Limit east-west traffic between VLANs
- Restrict admin protocols to specific management networks
- Review SMB, RDP, PowerShell remoting, and shared admin tools
- Use least privilege access controls throughout
The NCSC’s network security guidance and lateral movement guidance both support designing networks so that compromise in 1 area does not automatically expose the rest.
6. Misconfigured firewalls and overly broad rules
You might have a firewall, but that does not automatically mean you are well protected. Pen tests often reveal “allow any” rules, old exceptions nobody remembers adding, insecure outbound access, or internal trust relationships that are far too generous.
A firewall should reflect how your business works now, not how it worked 5 years ago.
How to fix it:
- Review inbound and outbound rules properly
- Remove old temporary exceptions
- Document why each rule exists
- Restrict management access
- Log and monitor changes
In the Cyber Security Breaches Survey 2025, changing or updating firewalls and system configurations was one of the top security actions organisations said they had taken, which shows this is still an active and necessary area of work.
7. Insecure wireless and guest access
Wireless security issues still come up more than many businesses expect. Common findings include weak PSKs, shared credentials, guest networks bridged too closely to internal systems, and old encryption settings left in place for compatibility.
How to fix it:
- Separate guest Wi-Fi from corporate access
- Use strong encryption and modern wireless standards
- Rotate shared keys or move to certificate-based access where appropriate
- Remove unmanaged devices from trusted internal segments
- Review who really needs access to what
8. Excessive privileges and poor admin hygiene
Pen tests often show that too many users have local admin rights, service accounts have more access than they need, or old accounts remain active long after they should have been removed.
This makes privilege escalation much easier than it should be.
How to fix it:
- Remove unnecessary admin rights
- Audit privileged groups regularly
- Disable stale accounts quickly
- Use separate named admin accounts
- Review service account permissions and rotate credentials
Why fixing the basics still works
There is a reason the NCSC continues to push a small set of core controls through Cyber Essentials: firewalls, secure configuration, security update management, user access control, and malware protection. Those basics still stop a huge amount of common attack activity when they are applied properly.
A pen test helps you see where those controls look fine on paper but break down in the real world.
FAQs
What is the difference between a vulnerability scan and a pen test?
A vulnerability scan is mostly automated and designed to identify known weaknesses. A pen test goes further. It shows how those weaknesses could actually be exploited, chained together, and used to reach sensitive systems or data.
How often should you run a network pen test?
For many businesses, at least annually is a sensible starting point. You should also test after major changes such as firewall replacements, cloud migrations, office moves, network redesigns, or new remote access deployments.
Does a pen test guarantee you will not be hacked?
No. Nothing can guarantee that. What it does do is help you reduce obvious weaknesses, prioritise remediation, and understand where your real exposure sits today.
Are small businesses really targets?
Yes. The UK government’s 2025 survey found that 43% of businesses overall identified a breach or attack in the previous year, so this is not just a large-enterprise issue.
What should you fix first after a pen test?
Start with anything internet-facing, high-severity, and easy to exploit. In practice, that usually means exposed services, missing MFA, critical patches, default credentials, and privilege issues.
Final thoughts
If your network has grown over time, there is a good chance it contains more risk than you think. The value of a pen test is not that it produces a long technical report. It is that it shows you what matters most, what an attacker would try first, and where you need to act now.
If you want to strengthen your defences, start with Penetration Testing, review your wider Security Services, and make sure your environment is backed by the right mix of IT Support, Consulting, Cloud Services / Office 365, Migrations, Global Support and International Projects, and Hardware and Software. You can also explore Northern Star’s wider thinking on the importance of penetration testing in cybersecurity, how to spot a phishing email, why EDR matters more than ever, and secure IT defences against cyber criminals.
If you want a clearer picture of where your network is exposed, speak to Northern Star and arrange a penetration test that shows you exactly what needs fixing first.
