Why the hell is there any path from the internet to any system?
Layers, and layers, and proper isolation with proper 2FA.
Just yesterday I got a notification from my 2FA about someone trying to login to a system I work on. Since I didn't know of any scheduled work, I was justifiably concerned, but only a little, since 2FA was blocking them.
Turns out it was a coworker who needed to check something, and was having issues with 2FA.
We can't directly access any of the secure systems from outside - we have to VPN in (2FA), then hit an RDP/SSH server (another 2FA) that gives us control over the more secure systems. No other network traffic is permitted between the secure network and the regular corporate (workstation) network.