We’ve all seen the headlines. Another big company caught in a cyber-attack that “no one saw coming”. The financial costs can be extreme. Customers face the fallout and the company’s reputation is damaged.
But big brands tend to bounce back. What happens when it is a small to medium business, your business, that is brought to its knees? Trading halts, financial costs soar and the trust you have built with your partners over many years is irreparably broken … the impacts can be disastrous.
There are two uncomfortable truths here.
Firstly, every business is at risk. Every size. Every industry. In fact, the Business NSW SME Cyber Security Report highlights that 34% of small and 43% of medium businesses in NSW were targeted in a single year alone.
Secondly, it’s often a simple-to-fix vulnerability that grants access to malicious actors. According to the Verizon DBIR Report 2025, vulnerability exploitation was the second-highest method of known initial access for reported breaches in 2025. This could be a door that is open in your network right now without you knowing.
If you aren’t currently performing vulnerability scanning or need to elevate your cyber security posture, read on.
What are common vulnerabilities in a network?
Vulnerabilities that open the door to your network can take many forms. Some of the most common we see in businesses every day include:
- Out-of-date operating systems. For example, if you have a device running on Windows 10, it may no longer be getting security patches.
- Devices that have not been updated, because although this is a risk we all know about, many of us still delay updates.
- Old, outdated hardware that has not been updated or is no longer supported by the manufacturer – think of that old router you used five years ago.
- Old applications, something as simple and routine as iTunes or an Adobe application that hasn’t been updated because you no longer use it, could be putting you at risk.
- Open ports on your network which could be hosting deprecated, forgotten about or out-of-date applications and technologies can become a real risk to your business.
- Operating systems and security misconfigurations, because even small missteps can damage your defensive line.
- A compromised ‘human firewall’. Informed team members, a strong acceptable use of technology policy and regular reminders and training are pivotal as your people are your first line of defence. It only takes one malicious link in a phishing email to compromise your business-wide network security.
And just to make things more difficult, today’s cyber criminals are using AI and automation to actively scan for vulnerabilities across the internet. According to the 2025 Fortinet Global Threat Landscape Report, active scanning reached unprecedented levels in 2024, making it a risk for every business.
These criminals aren’t specifically targeting your business. It’s opportunistic. Their AI and automation tools find a vulnerability and they exploit it or sell it to someone who will, so don’t be the lowest hanging fruit.
What does vulnerability scanning do?
Vulnerability scanning is a tool that scans your entire network, looking for potentially vulnerable entry points that cyber criminals can target to gain access to your data.
It checks your network (every device, every application) against an exhaustive vulnerability database to identify where you are open to risk. Once the scan is done, it provides you with a severity rating, known as CVSS, for each vulnerability to help you prioritise remediation.
When your first vulnerability report arrives, don’t panic. Every business — even those with strong IT — will uncover issues the first time they scan. This is absolutely normal and highlights the need for dedicated tools for vulnerability management. It’s much better that you find them now than someone with malicious intent later.
Following this first scan, regular scanning is a must, as vulnerabilities are ever evolving and will continue to be discovered. In fact, more than 40,000 vulnerabilities were disclosed in 2024 alone, representing a 39% increase over 2023. We perform routine vulnerability scanning for our clients in the background, so nothing changes for you. Larger, detailed scans can be done overnight, so it’s all business as usual.
What happens after vulnerabilities are found?
The key is to prioritise, using the CVSS to focus on what matters most. Critical items should be addressed immediately, while medium and low severity findings can be scheduled into routine maintenance. Not every high score is high risk for your specific business, so it’s important to assess each item in context.
From there, it’s about choosing the right remediation path and making it a business conversation, not just an IT one. Fixes may involve patching, removing outdated applications, closing misconfigured ports or, in some cases, documenting a known risk when remediation isn’t operationally feasible.
What matters most is clear ownership, visibility and ongoing monitoring to ensure risks are addressed before a malicious actor finds them.
Can my in-house IT person look after vulnerability scanning?
When we first run a vulnerability scan, business owners and managers often look to their IT person – why didn’t you know about this? But the reality is that scanning and management of vulnerabilities can’t be done well without the help of a dedicated toolset or an experienced security team.
Think of it as cyber security engineering. Just as would-be attackers have sophisticated automated tools to find vulnerabilities, you need the same in your line of defence to identify them first.
There have been instances of vulnerabilities being disclosed to the public and within days those same vulnerabilities are being actively used to exploit businesses. This is why the speed of discovery is so important.
Hiring an in-house specialist is not usually viable for most SMEs, and vulnerability toolsets can be expensive and difficult to manage. Working with a partner is much more cost-effective and is scaled for your business size and needs.
How do I get started with vulnerability scanning for my business?
We can work with you to execute the right defensive strategy for your business. We guide you through a simple, proven process that quickly identifies your assets, assesses the risks, prioritises what matters, and helps you fix and verify vulnerabilities, so you can protect your data, your customers, your people and your business with confidence.
At the end of the day, vulnerability scanning isn’t a nice-to-have; it’s a necessary defence against weaknesses in your network that cyber criminals can exploit. And with new vulnerabilities emerging every day, businesses face increasing pressure to stay ahead of potential threats.
So don’t sit on this one. It’s time to find and close any open doors that are putting your business at unnecessary risk. Get in touch to get started.
Written by David Landgren, Head of IT, MicrotechDPS
