In doing our market research to develop VulScan, we surveyed thousands of Managed Service Providers (MSPs) — and, separately, hundreds IT Pros who work inside of corporate IT departments — to learn how many actually perform vulnerability scans, how frequently they do it, and why Surprisingly, the results from both groups were remarkably similar.
The MSPs we surveyed collectively manage so many different client sites, they see more (and often experience more) than the average multifunctional IT professional working inside a given corporate IT department. But the IT pros we talked to also come from a wide range of environments, from small organizations less than 50 endpoints to huge corporate behemoths with more than 10,000.
On this page we summarize the results from the MSP survey first, and then share what the IT Pros from internal IT organization had to say. Take a look at the results, but please note that this is copyrighted information. You can share this information with others, providing you cite “RapidFire Tools 2021 Vulnerability Scanning Survey” and provide a link back to this page.
According to our survey, more than half of MSPs say they don’t do vulnerability scanning. A small percentage of these MSPs have SOCs, SEIMs or other cybersecurity solutions that provide protection, but the majority rely on firewalls and anti-malware/anti-virus software to protect their clients.
Following up with the MSPs who said they do vulnerability scanning, less than 25 percent perform the scans for all their clients. More than half said they only perform scans for larger clients. The remaining 25 percent gave a wide range of responses including: they only perform scans for selected clients who pay for premium security services; they provide it to clients that request it as part of a compliance requirement; they provide it to clients that purchase it; they offer it only as part of an initial assessment.
According to the National Institute of Standards and Technology (NIST), the recommended frequency of vulnerability scans is monthly and 25% of our respondents who do scans reported following that recommendation. Yet there’s a huge range of frequency of scans. About 1 in 4 MSPs scan their clients’ networks more frequently than monthly, while the remaining half scan less frequently.
There are a lot of obstacles that get in the way of MSPs performing regular vulnerability scanning on all client networks. Some find scans are too complicated and take too much time. Others have issues with the reports that come out of the scan results. But, by far, cost is the biggest issue. MSPs told us most of the IV scanning vendors charge so much, that it’s too expensive to absorb it as part of their general managed services fee and it costs more than their clients are willing to pay.
How much is cost a barrier for MSPs to provide the extra layer of cybersecurity protection to every client? When asked if they would perform vulnerability scans more frequently and/or for more clients . . . if it were more affordable . . . almost 8 out of 10 MSPs said they would.
If you are among the majority of MSPs who don’t perform vulnerability scans — or spend so much that you have to limit which clients you do it for and how frequently — VulScan is your solution. The subscription price is so low you can immediately add monthly vulnerability scanning to enhance your base managed service contract and then use the results to sell-additional cybersecurity services.
We had hundreds of survey responses from IT Pros who are responsible for the computers and networks within their organization’s IT departments. Of those, 47% describe themselves as Multi-functional IT professionals, 13.5% identified themselves as specialized internal IT professional (i.e. web-dev, security, network admin, etc.), and the rest were in IT Management. And, as you can see from the chart below, they come from a wide range of different sized organizations.
According to our survey, the response pool was almost equally split among three vulnerability scanning scenarios. A total of 31% say they do their own vulnerability scanning, while another 35% outsource the vulnerability scanning to MSPs. But another 33% say they don’t do any regular vulnerability scanning . . . and surprisingly, this latter group is comprised of an equal mix of larger and smaller organizations.
Not surprisingly, similar to the results from the MSP survey, there is a wide range of scan frequency of those IT Pros who do vulnerability scans. About 40% of our respondents said they scan at least monthly . . . with 1/4 of that total performing weekly scans and another 1/4 of them performing daily scans. On the opposite end of the spectrum, another 30% only scan once per year or on an ad hoc basis. The single largest frequency band from the survey is Quarterly, representing about 1 in 5 respondents.
IT Pros at companies of every size face the very same issues as the MSPs we surveyed: They know the importance of vulnerability management, but the high cost is limiting them. First we asked the IT Pros who already do vulnerability scans. About 60% of those respondents say they would run scans more frequently and/or scan more assets if scanning were more affordable . . .
We then polled the one-third of IT Pros who don’t do regular vulnerability scans, why they don’t scan the computers on their own networks. Absurdly, more than 21% of these respondents said their companies don’t need it. But, just as with the MSPs, 60% of these respondents attribute the high cost (saying either it’s too expensive, or their company won’t pay for it). Meanwhile, nearly 1/3 said that vulnerability scanning is too complicated, while 13% feel the results are not reliable.
If you are among the majority of IT Pros who don’t perform enough vulnerability scans — or, perhaps, who don’t perform vulnerability scans at all — VulScan is your solution. The subscription price is so low you can immediately add internal and external vulnerability scanning to every asset on every network you manage for one low fixed fee.