Two-thirds of companies that suffered cyber attacks were hit again within a year, according to a global study by the extended security posture management firm Cymulate.
According to the report, 40% of the businesses were attacked within 12 months, with an average of 1.3 cyber attacks per year. However, 10% of the firms experienced ten or more incidents within a year.
Additionally, cyber attacks had more profound impacts on medium-sized businesses than on larger companies which reported 40% less damage.
Employees and connected partners are the main gateways for cyber attacks
According to the Cymulate Data Breaches Study, most cyber attacks originated from end-user phishing (56%) and hacking third parties with corporate network access.
Direct cyber attacks on the enterprise network by threat actors accounted for 34% of incidents, while insider threats were responsible for 29% of incidents, either intentionally or unintentionally.
The top types of incidents reported were malware (55%), followed by ransomware attacks (40%), and DDoS attacks (32%).
Public relations, legal, and financial consultants involved in the cyber incident response
Businesses responded differently after cyber attacks, with 39% handling everything internally, without hiring experts, public relations, or mandatory reporting.
However, in 35% of the cases, the company responded by hiring security consultants, while 12% hired public relations consultants to protect their reputation.
Another 12% responded by dismissing their current security staff, while 4% dismissed the executives.
Additionally, 22% of the companies were forced to handle the regulatory mandate of public disclosure, while 10% paid regulatory fines. The report posited that handling the regulatory mandate could cause more damage if not handled with sensitivity and expertise.
According to the report, security teams needed to involve a legal, finance, or executive staff to deal with the aftermath of cyber attacks in 39% of the cases. “Only 9% of companies limit the handling of cybersecurity breaches to security staff alone,” the researchers wrote. “91% involve two or more different team members.”
Multi-factor authentication remains the most preferred mitigation for cyber attacks
Two-thirds (67%) of the respondents preferred multi-factor authentication (MFA) to mitigate cyber attacks, followed by proactive corporate phishing and awareness campaigns (53%), well-planned and practiced incident response plans (44%), and least privilege (43%).
The fact that most businesses suffered repeat attacks suggests that vulnerability management should also be a priority in preventing cyber attacks. Proper management of vulnerabilities within an organization would prevent cyber criminals from exploiting the same flaw multiple times.
Regular meetings between company leadership and cyber security teams reduced the number of successful cyber attacks.
According to the report, companies with at least 15 cybersecurity meetings or met more than once a month had zero data breaches.
Similarly, companies that suffered six or more data breaches had less than nine cybersecurity meetings in a year.
Executives’ awareness of cyber breaches was also a mitigating factor. On average, executives were aware of 44% of cyber attacks. However, when executives knew of at least 75% of cyber attacks, the number of incidents dropped.
Small businesses incur more losses from cyber attacks
The researchers found that smaller businesses incurred more costs after suffering cyber attacks.
More than half (57%) of large businesses reported that disruptions after cyber attacks lasted for a short time, while 40% reported minor damage. In contrast, only 33% of small businesses reported short-lived disruptions and low-level damage (27%).
“The larger the company, the more resources they are likely to have to recuperate,” the researchers wrote.
Small businesses cannot afford the technology investment required to prevent the most severe cyber threat.
Additionally, cyber criminals’ ransom demands are likely to exceed small businesses’ ability to pay a ransom, thus choosing a slower recovery path such as network reconstruction.
The researchers warned that reactive cyber security was an “expensive gamble.” They advised businesses to be proactive in cyber security to eliminate the enormous recovery cost associated with cyber attacks. Besides, companies that suffer repeat attacks are likely to settle this cost multiple times within a year.