SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Cinematic uk server room glowing laptop highlighted network breach
#
Malware
#
Firewalls
#
DevOps

Routine internal access, not exploits, drives cyber risk

Wed, 4th Feb 2026
Author image
By Shannon Williams, News Editor

Zero Networks has published research that links the largest business cyber risks to routine internal access rather than rare software vulnerabilities or specialised malware. The company said the findings point to a security strategy that focuses on restricting what attackers can reach after initial access.

The research draws on analysis of 3.4 trillion activities across 400 enterprise environments over a year, based on customer environments and verified penetration testing engagements. Zero Networks said the data showed business impact depended less on the initial breach mechanism and more on the speed and scale of lateral movement inside an organisation's IT estate.

According to the research, lateral movement during a successful attack can compromise more than 60% of an IT environment in under an hour after initial access. Zero Networks also said a single compromised system could reach a median of 85% of internal systems in one hop, and effectively all systems in a second hop. The company reported an average time to compromise of 48 minutes, which it said reduced the time available to respond.

Legitimate pathways

Zero Networks said threat activity often blended into normal administrative behaviour and appeared legitimate. The company said attackers did not require a wide range of techniques to achieve material impact.

The research found that 71% of observed threat activity used common management protocols such as SMB, RDP, WinRM and RPC. Zero Networks said these protocols were widely deployed in Microsoft-based enterprise environments. The company also said organisations relied on them for day-to-day operations and business continuity.

Zero Networks highlighted lower-frequency detections that it associated with higher-impact risk. It said Microsoft SQL Server represented about 3% of detections and ranked ninth. It said System Centre Configuration Manager represented 2% of detections and ranked tenth. It said Active Directory Web Services represented 2% of detections and ranked eleventh. The company said access to these systems could signal potential control over databases, endpoint management, or identity infrastructure.

Policy focus

The publication comes as the UK considers changes to cyber security rules for organisations that provide critical services. The UK Cyber Security and Resilience Bill has also raised questions about how regulators and operators define resilience in operational terms.

Zero Networks said its findings offered direction for organisations covered by DORA and NIS2. The company also referenced the proposed UK legislation as a driver for operational resilience planning that assumes breaches will occur.

"What our data analysis confirms in theory - and what recent successful attacks such as those on Jaguar Land Rover, Marks & Spencer and multiple London councils confirm in practice - is that resilience is key," said Albert Estevez Polo, Field CTO, EMEA, Zero Networks.

Estevez Polo also pointed to the role of automation in expanding the scale of threats. "And AI-enabled attacks are only going to accelerate the scale of the issue," said Polo.

Containment measures

Zero Networks argued for controls that limit lateral movement, with a focus on preventing intruders from moving from one system to another after they gain an initial foothold. The company framed this as a shift away from strategies built mainly around blocking entry.

"Modern cyber resilience depends on limiting lateral movement: containing threats at their point of entry and preventing them from spreading across the environment. By reducing the blast radius of a breach, organizations protect critical assets, maintain operational continuity, and remain resilient even when defenses are bypassed. Simply put, if you don't know your blast radius, you don't have a cyber resilience plan," said Polo.

In its submission to UK lawmakers, Zero Networks argued for a definition of resilience that emphasised ongoing operations under attack. "Resilience must be defined as the ability to largely continue operations - not simply to survive and recover at some unknown point in the future. Some may see this as prescriptive, but for critical national infrastructure in particular, this capability must be mandatory," said Polo.

The findings arrive amid continued scrutiny of how organisations manage internal privileges, remote access, and administrative tooling. Zero Networks said the most dangerous activity often looked like normal management traffic, which increased the importance of restricting access paths between systems.

The company's research said the main risk factor lay in how organisations configured internal connectivity and permissions. It said the combination of widely available management protocols and broad reachability between systems reduced the effectiveness of last-minute response once an attacker gained initial access.

As lawmakers and regulators work through the detail of resilience obligations, Zero Networks said organisations should measure how far an attacker could move inside their environment after a compromise and treat that as a core operational risk metric.

Related stories
Dark web ‘fraud superstore’ struggles with AI checks
DroneShield names Michael Powell new chief operating officer
Rockwell opens Singapore SOC to secure Asia Pacific OT
Why the all-AI social network looks more fad than legacy
Hexnode embeds upgraded Genie AI to run UEM actions

Top stories

Google boosts AI research, skills & safety in Singapore
Fireblocks & Thales deepen bank crypto key control
SentinelOne debuts lifecycle platform for AI security
CelcomDigi survey to tackle AI-driven scams at unis
Synology gains ISO 27001:2022 for security management