Lightning does strike twice: If you get hacked once, you'll probably be attacked again within a year

Businesses might feel that if they're targeted by cyber criminals once, it won't happen again - but analysis of incidents shows that more often than not, attackers come back looking for more.
Written by Danny Palmer, Senior Writer

Businesses that suffer a successful cyberattack are extremely likely to be targeted by cyber criminals again – even if they've taken all the correct steps in the aftermath of the initial attack.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The Crowdstrike Services Cyber Front Lines report uses analysis of real-world cases where the cybersecurity company has been brought in to help combat cyberattacks and it reveals that in over two-thirds of of cases where there were outside intrusions onto the network, cyber criminals will attempt to break into the same network within one year.

According to Crowdstrike, 68% of companies encountered another "sophisticated intrusion attempt" within 12 months – although in each of these cases, the second attack was prevented from compromising or otherwise gaining access to the network.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

While organisations might feel that if they're hit by a cyberattack once – whether that's malware, ransomware, business email compromise, phishing or something else – then they won't be targeted again, if anything it's the opposite that's true.

Cyber criminals come back probably because they are hoping that an organisation has not learned the lessons of the first attack and has perhaps even left the same vulnerabilities in place that allowed the initial cyber attackers to breach the network.

"It is tempting to think of intrusions as a lightning strike – a blinding flash that is unlikely to strike the same place twice. Unfortunately, intrusion attempts are rarely a one-time event," said the report.

"Organisations that do not take the opportunity to apply lessons learned and to better prepare for their next encounter with an adversary may well suffer attacks that result in additional data loss, ransom demands, extortion or other monetary losses requiring costly legal fees, response services and perhaps even future business interruption," the paper added.

It's recommended that in the aftermath of a breach – once the network is secured with timely security updates, stronger passwords and multi-factor authentication – that organisations take the opportunity to learn from the incident and remain vigilant about what they can do to prevent future attacks and even plan how they'd react to another incident.

One way of doing this is to regularly perform penetration testing to find out where the vulnerabilities are on the network and if defenders can detect the intrusions, particularly when it comes to new kinds of attack or vulnerability.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

"Holistic coordination and continued vigilance are key in detecting and stopping sophisticated intrusions," said Shawn Henry, chief security officer and president of CrowdStrike Services.

"Because of this, we're seeing a necessary shift from one-off emergency engagements to continuous monitoring and response. This will better enable incident response teams to help customers drastically reduce the average time to detect, investigate and remediate," he added.


Editorial standards