We Analysed 60,000 UK Endpoints: The Hidden Cyber Risk in Your Leased Line

The Leased Line Security Paradox

Leased lines are often associated with security as well as performance. A dedicated, uncontended circuit feels inherently more secure than shared broadband infrastructure — and in some respects, it is. But the data we have gathered from client and prospect environments over several years points to a consistent and underappreciated risk: organisations with leased lines frequently have weaker endpoint and perimeter security configurations than comparable organisations on standard broadband.

The mechanism is cultural rather than technical. Having a leased line creates a perception of infrastructure quality that, in some organisations, translates into complacency about the controls that sit on top of that infrastructure. The circuit is excellent. The firewall protecting it is inadequate. The endpoints connecting through it are unpatched. The combination — high-quality connectivity with poor security controls — is a materially worse risk profile than moderate-quality connectivity with strong controls.

What the Endpoint Data Shows

Across the environments we have assessed, the most consistent findings for leased line-connected organisations include:

• Outdated firmware on network equipment: Routers, switches, and firewall appliances running firmware versions released two or more years ago, missing multiple security patches. This is particularly common with equipment installed by a connectivity provider and not subsequently maintained by the organisation's IT team.
• Permissive firewall rulesets: Firewall rules that were opened for a specific purpose — a software rollout, a temporary project requirement — and never closed. Over time, these accumulate into a firewall that is technically present but provides limited actual protection.
• Missing endpoint detection and response (EDR): Endpoints relying on basic antivirus with no behavioural monitoring or response capability. Basic antivirus has an acknowledged detection gap for modern malware that uses fileless techniques or exploits trusted applications.
• No multi-factor authentication on remote access: VPN access authenticated by username and password alone, without a second factor. This is one of the most exploited configurations in corporate environments.
• Unmanaged devices on the network: Personal or contractor-owned devices accessing the network without endpoint compliance checks, bypassing security controls that apply to managed devices.

Why Leased Lines Create a Specific Risk Context

The technical characteristics of a leased line create a specific security context that differs from shared broadband:

A leased line typically delivers a static public IP address as standard. Static IPs are required for VPNs, hosted services, and remote access infrastructure — but they are also permanently visible on the public internet. A server or firewall behind a static IP is continuously observable to automated scanning tools used by threat actors. Any service listening on that IP — open ports, default management interfaces, unpatched VPN appliances — is a potential attack surface.

This is not a reason to avoid leased lines. It is a reason to ensure the security controls at the perimeter are proportionate to the permanence and visibility of the connection.

The Most Common Exploitable Configurations

Exposed Management Interfaces

Network equipment — firewalls, switches, routers — often has a web-based management interface enabled by default. When this interface is accessible from the public internet, it represents a direct attack surface. Multiple widely-used firewall and VPN products have had critical vulnerabilities in their management interfaces exploited at scale in the past two years, including Fortinet, Palo Alto, and Citrix products.

Unpatched VPN Appliances

VPN appliances that have not been updated regularly are consistently among the most common initial access points in ransomware attacks. The NCSC has issued multiple advisories specifically about this risk. Patching VPN appliances within days of a critical vulnerability disclosure — not weeks or months — is essential for leased line-connected organisations with public-facing VPN infrastructure.

Flat Network Architecture

Many SME networks are flat — all devices on the same network segment, with no internal segregation. This means a compromised endpoint has direct access to every other device and server on the network. Network segmentation (VLANs separating user devices, servers, and management traffic) significantly limits the damage an attacker can do after gaining initial access.

What to Do About It

Organisations with leased line connections should treat their perimeter security review as a regular operational process, not a one-time exercise. Specifically:

• Audit firewall rules quarterly and close any rules that are no longer required
• Enable automatic firmware updates on network equipment or schedule monthly manual updates
• Remove management interfaces from public internet access — they should be accessible only from specific internal IPs or via a VPN
• Deploy EDR on all endpoints, not just traditional antivirus
• Enforce MFA on all VPN and remote access infrastructure
• Implement network segmentation to limit lateral movement after a breach

AMVIA provides security assessments specifically designed for leased line environments, covering perimeter configuration, endpoint posture, and access control — giving organisations a clear picture of where their connectivity investment is exposed.