Why free ASM scans are not enough

Published On: January 28, 2025

According to a study by the University of Maryland, a cyber attack occurs roughly every 39 seconds on a public website, which translates to an average of 2,244 attacks per day.

This means that hackers can potentially attack a public website multiple times every minute. 

What’s worse is that a large percentage of these websites are owned and operated by small and medium sized businesses, as well as state/local governments. Over the years we have gone from cyberattacks focusing on large, enterprise computing sites, to virtually every business and governmental entity. 

 

And to help organizations defend against these attacks, many states have effective and well organized IT organizations, who provide an array of critical services to their members. Many of them offer free attack surface scanning technology, which is helpful for organizations to examine the security of their attack surface. 

But attack surface scanning has gone from a supplemental security practice utilizing tools from benevolent organizations, to an essential element of “always on” network security vigilance. And while free ASM tools are an absolute benefit to member organizations, they typically are not architected to provide persistent attack surface assessment and monitoring.

Why are free scans not enough? 

It’s because of the “39 seconds between attacks” – small and medium sized organizations increasingly vulnerable, and increasingly under attack:

  • Accenture’s Cybercrime study reveals that nearly 43% of cyber-attacks focus  on small businesses.
  • Only 14% of these SMBs are prepared to effectively defend such an attack.
  • The next two years are due to see a 15% increase in cybercrime

Over the past ten years the nature and composition of an organization’s attack surface has changed dramatically. The broad adoption of cloud computing has introduced a dynamic fabric of endpoints, combined with the ongoing fluid nature of remote and in-office computing organizations managing an ever-changing attack surface.

And time is simply not on the side of SMBs and state/local governments. According to the Sophos Active Adversary Report in the first half of 2024 attackers took about 17 hours to reach an Active Directory and the dwell time between AD acquisition and attack detection was 29 hours (down from 48.43 hours in 2023). Organizations simply cannot rely on annual or even monthly attack surface scans. The time has come for on-demand frequent scans.

Why SMBs and State/Local Governments Are At-Risk

It should come as no surprise that 46% of all digital breaches affect businesses with 1,000 or fewer employees. The growth of the threat is outpacing their ability to effectively defend against it.

According to the 2024 State of CyberSecurity survey by ConnectWise and Vanson Bourne:

  • 78% SMBs today are worried about cyber attacks
  • 83% are planning to invest more in cybersecurity over the next year, and 
  • 76% percent say that their organization would be unable to deal with cybersecurity issues effectively without external support.

Yet 70% of organizations do not (yet) prioritize pro-active investment in cybersecurity protections – meaning they remain vulnerable. And in many cases are waiting for a security incident to act. With the growing volume of threat activity, organizations cannot afford to remain complacent. (Source: Accenture State of Cybersecurity Resilience 2023)

What this means is that these organizations need not just assessment solutions that are actively enhanced to address the changing nature of the threat landscape. They need assessment as well as remediation – identifying a vulnerability is not helpful without remediating it.

Dedicated attack surface assessment solutions – like Mirrored Defense –  provide risk assessments as well as remediation resources. Given the rapidly changing threat landscape, it is critical that threat assessments solutions are continuously improved, and remediation resources enhanced to keep ahead of threats.

The era of annual ASM scans is over. The era of monthly scans is over. Organizations need to know by day and week how secure their network surface is. And they need the resources to pinpoint vulnerabilities AND be resources to deliver remediation.

Get started today. Get Mirrored Defense.

About Mirrored Defense

We’re on a mission to make enterprise-grade security accessible to organizations of all sizes. Our community-driven approach turns the tables on attackers by giving you the same visibility they already have.