Why the hell is there any path from the internet to any system?
Layers, and layers, and proper isolation with proper 2FA.
Just yesterday I got a notification from my 2FA about someone trying to login to a system I work on. Since I didn't know of any scheduled work, I was justifiably concerned, but only a little, since 2FA was blocking them.
Turns out it was a coworker who needed to check something, and was having issues with 2FA.
We can't directly access any of the secure systems from outside - we have to VPN in (2FA), then hit an RDP/SSH server (another 2FA) that gives us control over the more secure systems. No other network traffic is permitted between the secure network and the regular corporate (workstation) network.
Everyone below VP level is probably OK. Some directors and senior management may suck, but holy shit nothing like a VP. They're the most useless person in a company.