Most companies that get hit by a cyberattack are likely to fall victim again – sometimes repeatedly – as many struggle to improve their cybersecurity strategy, even after incidents.
According to research by cybersecurity company Cymulate, 39% of companies were hit by cybercrime over the past 12 months – and of those, two-thirds were hit more than once. Of those hit more than once, one in 10 fell victim to further cyberattacks 10 or more times.
"It wasn't one and done – in fact, if you were hit, you had much more chance of being hit a second time or multiple times," Dave Klein, director of cyber evangelism at Cymulate told ZDNet.
"It's not like you get hit once and people learned lessons – it really was a situation that your likelihood of being hit again was larger," he added.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The most common form of cybercrime that the companies surveyed said they fell victim to was malware attacks (55%) followed by ransomware attacks (40%). Other common incidents included distributed denial-of-service attack (DDoS) attacks, and crypto-jacking attacks.
For victims of cybercrime, the most common source of attacks is phishing emails targeting end users (56%) that trick them into clicking malicious links that install malware, or direct them to fake login pages that steal usernames and passwords.
The second most common attack method is exploiting vulnerabilities in digital supply chains and third-party software connected to the network. In this case, a vulnerable supplier could be what allows hackers into the network.
No matter what type of cyberattack companies fell victim to, the research found that in two-thirds of cases, they found themselves falling victim again within a year.
Sometimes this was the same attacker, sometimes it was a different cyber-criminal entity altogether – but either way, more attacks were able to disrupt the network because the original cybersecurity weaknesses remained unfixed.
Common cybersecurity protections recommended by experts are applying security updates as quickly as possible and equipping all users with multi-factor authentication (MFA).
Security teams need the budget for work like this, but in many cases boardrooms aren't willing to provide one – until it's too late. And the result is that not only are they paying an IT security budget, they're also paying to fix the damage done by a cyberattack.
This lack of understanding between boardrooms and information security teams often stems from poor communication.
But according to Cymulate's research, the more often information security and leadership teams meet to discuss cyber threats and risks, the less likely the company will fall victim to a cyberattack – and those who met most often, at least 15 times a year, didn't suffer security breaches at all.
"When we finally go from awareness to executive involvement, we see a huge difference – there really is a need to be proactive. And it makes a difference in the number of times you get hit," said Klein.
Alongside applying security patches and using multi-factor authentication, some of the things that companies can do to help protect against falling victim to cyberattacks include phishing awareness campaigns, setting out an incident response plan and regularly updating offline backups.
MORE ON CYBERSECURITY