A recent report found that attackers now take just 29 minutes, on average, to move from initial access to spreading across a network. In some cases, it’s happening in under a minute.
That’s a significant shift from even a few years ago, and it changes how organizations need to think about risk.
What stands out most isn’t just the speed— it’s how access is happening in the first place. Attackers aren’t forcing their way in through vulnerabilities or malware. They’re using legitimate credentials and operating inside environments as if they belong there.
The shift toward identity-based access
For a long time, cybersecurity strategies focused on keeping attackers out by blocking malicious software and patching systems. Those controls are still important, but they don’t address what happens when someone logs in with valid credentials.
According to the report:
- 35% of cloud-related incidents involved legitimate accounts
- 82% of detections were malware-free
In those scenarios, activity often looks normal because, technically, it is. The systems are being accessed the way they were designed to be used, just not by the right person.
Why speed is increasing
Once access is established, attackers are moving quickly and with purpose. They are mapping environments, identifying systems of interest, and moving laterally across networks in a matter of minutes.
In one instance, data exfiltration began just four minutes after initial access.
That pace leaves very little room for traditional detection and response processes to catch up, especially when the activity doesn’t immediately appear suspicious.
A practical risk that often gets overlooked
One of the things we see regularly is how much useful information is physically exposed on equipment.
It’s common for devices to be labeled with asset tags, device names, IP addresses, or other internal identifiers. From an operational standpoint, that makes sense. It helps teams manage inventory and troubleshoot issues.
At the same time, that information can provide a clearer picture of how an environment is structured. If someone already has access through valid credentials, even small details like naming conventions or network identifiers can help them move more efficiently.
It’s not usually viewed as a security issue, but in the context of how attacks are happening today, it plays a role.
Where this connects to SEAM
If attackers are relying more on trusted access and less on traditional intrusion methods, then reducing risk comes down to controlling what is exposed and how systems are managed over time.
That includes more than just login security. It also involves how assets are tracked, what information is visible, and how equipment is handled throughout its lifecycle.
SEAM works with organizations to bring more control and visibility to that process by helping:
- Maintain accurate asset tracking
- Limit unnecessary exposure of system-level details
- Ensure devices are properly managed and retired
- Prevent sensitive data from leaving with equipment
In many cases, the goal isn’t to stop a single event. It’s to remove the small gaps that, over time, make movement easier once access is gained.
The speed of attacks is increasing because the barrier to entry is lower when valid access is involved. At that point, it’s less about whether someone can get in and more about how easily they can move once they do.
If you’re looking to tighten up security around your devices, data, and overall asset management process, SEAM can help.
Clint Parsons is the Director of Strategy and Information at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations.