Most companies which get hit by a cyber attack are likely to fall victim again – sometimes repeatedly – as many struggle to improve their cybersecurity strategy, even after incidents.
According to research by cybersecurity company Cymulate, 39% of companies were hit by cyber crime over the past 12 months – and of those, two thirds were hit more than once. Of those hit more than once, one in ten fell victim to further cyber attacks ten or more times.
“It wasn’t one and done – in fact, if you were hit, you had much more chance of being hit a second time or multiple times,” Dave Klein, director of cyber evangelism at Cymulate told ZDNet.
“It’s not like you get hit once and people learned lessons – it really was a situation that your likelihood of being hit again was larger,” he added.
The most common form of cyber crime which the companies surveyed said they fell victim to was malware attacks (55%) followed by ransomware attacks (40%). Other common incidents included distributed denial-of-service attack (DDoS) attacks, and cryptojacking attacks.
For victims of cyber crime, the most common source of attacks is phishing emails targeting end users (56%) which trick them into clicking malicious links which install malware, or direct them to fake login pages which steal usernames and passwords.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The second most common attack method was exploiting vulnerabilities in digital supply chains and third-party software connected to the network. In this case a vulnerable supplier could be what allows hackers into the network.
No matter what type of cyber attack companies fell victim to, the research found that in two-thirds of cases, they found themselves falling victim again within a year.
Sometimes this was the same attacker, sometimes it was a different cyber criminal entity all together – but either way, more attacks were able to disrupt the network because the original cybersecurity weaknesses remained unfixed.
Common cybersecurity protections recommended by experts are applying security updates as quickly as possible and equipping all users with multi-factor authentication (MFA).
Security teams need the budget for work like this, but in many cases boardrooms aren’t willing to provide one – until it’s too late and not only are they paying an IT security budget, they’re also paying to fix the damage done by a cyber attack.
This lack of understanding between boardrooms and information security teams often stems from a lack of communication.
But according to Cymulate’s research, the more often information security and leadership teams meet to discuss cyber threats and risks, the less likely the company will fall victim to a cyber attack – and those who met most often, at least 15 times a year, didn’t suffer security breaches at all.
“When we finally go from awareness to executive involvement, we see a huge difference – there really is a need to be proactive. And it makes a difference in the number of times you get hit,” said Klein.
Alongside applying security patches and using multi-factor authentication, some of the things which companies can do to help protect against falling victim to cyber attacks include phishing awareness campaigns, setting out an incident response plan and regularly updating offline backups.
MORE ON CYBERSECURITY