Thanks everyone for the help on this issue. I've been off for a few weeks. In the meantime the business, on my recommendation, has secured a dedicated VPS with a new SQL 2012 standard to replace the 2012 Express instance which shared VSP with the web server.
In my mind this moves the SQL instance back away from the internet/cloud. So the situation has changed hopefully for the better. I'm going to now isolate the connections to the database to three acceptable sources
Bog Application
Web Application
Quant Users
Data Loading Processes
DBA
My question. Given that noone should connect other than these processes, how do I remove the possibility of any other connection which might try a brute force attack?
John
SQL 2012 Standard VPS Windows 2012 Server Standard