18 Jan Adoption of Vulnerability Management Today
In today’s cybercrime-fueled world, you would assume that most IT professionals are already conducting vulnerability scans. Yet when we surveyed over 1,000 MSPs to learn how they perform vulnerability scans, how frequently they do it, and for which clients, the findings were shocking to say the least. Major insights from the survey include:
- More than half the MSPs surveyed don’t perform vulnerability scanning at all.
- A small percentage of these MSPs have SOCs, SEIMs or other cybersecurity solutions that provide protection, but the majority rely solely on firewalls and anti-malware/anti-virus software to protect their clients.
- Among MSPs who perform vulnerability scanning, less than 25% perform scans for all their clients.
So the vast majority – about 75% of MSPs – perform internal and external vulnerability scans on a selective basis. Here are the main ways they limit their scanning decisions:
- They only perform scans for larger clients (this represents the largest group)
- They only perform scans for selected clients who pay for premium security services
- They provide it to clients that request it as part of a compliance requirement
- They provide it to clients that purchase it
- They offer it only as part of an initial assessment
The majority of cybersecurity standards set their frequency to many variables including the nature of the data being processed and stored. According to the National Institute of Standards and Technology (NIST), vulnerability scans must be performed at least quarterly — regardless of network size or type — and at least monthly for organizations that rely on their computers for day-to-day operations. And, CIS recommends continuous vulnerability scanning.
However, only 25% of respondents who perform scans reported following that specific recommendation. Various obstacles get in the way of MSPs performing regular vulnerability scanning on all client networks. Some MSPs find scans to be too complicated and time-consuming. Others have issues with the reports generated from the scan results. But the perceived cost is the biggest issue by far. The same complaint we hear from corporate IT departments.
VulScan is priced and packaged to make internal AND external vulnerability scanning affordable enough to scan every asset you manage on a continuous basis, whether you’re an MSP or a corporate IT professional. Vulnerability alerts are generated after each scan, with the system getting “smarter” each time to reduce false positives.
For more information or to request a demo click here.