Mimecast Limited

13/11/2024 | News release | Archived content

When Cyberattackers Strike Again ̶ and Again

A single successful cyberattack that results in a data breach can cost a company millions of dollars. But for many organizations, that's not the end of the story.

Two-thirds of companies that experience a cyberattack are hit again within a year1. These successive incidents can play out in multiple ways: simultaneously, a few days apart, or many months later. They may entail compound exploits of the same type or different kinds altogether.

How long it takes a company to discover it has been breached, the length of time it takes to recover, and the steps it takes (or doesn't take) to address the vulnerabilities that opened it up to an attack in the first place all play a role in the possible recurrence of an attack. Midsize companies, which tend to be slower to respond, are more likely to suffer successive attacks than larger firms1.

The phenomenon of falling prey to successive cyberattacks is not necessarily new. But as cybersecurity organizations face ever more sophisticated foes - who are able to exploit high-profile vulnerabilities with ready-to-deploy ransomware - the results can be devastating, impacting remediation efforts and compounding the financial and reputation damage done.

This underscores why it's more important than ever for security leaders to fortify both their cyber defenses and cyber resilience.

Open Doors and Open Sources: A Recipe for Repeat Attacks

It can take an average of 277 days - that's about nine months - for an organization to identify and contain a breach2. During that extended period of time, not only might cybercriminals remain in the environment wreaking havoc, but the means by which they entered remains available to others as well.

What's more, when an organization fails to fully address the vulnerabilities that allowed the first attack - a misconfiguration, human error resulting from lack of cyber awareness, or a software vulnerability - the door is left open to other attackers.

While some cyberattacks make use of zero-day vulnerabilities, many rely on known vulnerabilities on unpatched systems. The universe of bad actors also has unprecedented access to intelligence and tools to capitalize on an organization's lack of speed or vigor in responding to an attack and addressing its cause. Threat groups have been exploiting ubiquitous, yet easy-to-exploit vulnerabilities like Log4j and ProxyShell, for example, offering multiple ways into the same organization.

Due to the ongoing commoditization of cybercrime, what was once a one-to-one battle between a bad actor or gang and a network has evolved into a many-to-one onslaught on a vulnerable system or network. Anyone, even with limited tech savvy, can capitalize on proven exploits, whether working with initial access brokers - criminal groups that find vulnerabilities within organizations and sell that access to others - or taking advantage of ransomware-as-a-service offerings or phishing kits. Thus, one vulnerability can yield many attacks.

Reducing the Likelihood of Repeat Breaches

Cybersecurity leaders seeking to mitigate the risk of successive attacks on their organizations must consider not just technology, vulnerabilities, and solutions, but people and process as well. The following actions can reduce the likelihood of multiple attacks:

  • Insist on postmortems: Performing root cause analysis on successful attacks is critical (and something Mimecast does extensively to continually improve its own human risk management platform). Too often, however, security teams are so busy with incident response and cleanup and so exhausted in the aftermath, that a full review of the people, processes, and technologies that may have led to the attack is overlooked.
  • Introduce premortems: Premortems, a technique used in project management to identify and mitigate risk, can be an equally effective method for addressing the vulnerabilities that lead to repeat attacks. Security leaders can offer their teams avenues for consideration and share weaknesses in the environment that might lead to future failure scenarios and the psychological safety to do so.
  • Empower cyber leadership: Organizations that are serious about preventing attacks in the first place - and successful additional attacks that may occur in their wake -elevate the cybersecurity role accordingly. A security leader who is a couple of levels deep in the organization will not be able to harness the support necessary to fight an ongoing battle against determined cybercriminals. CISOs with working relationships across the C-suite and the ear of their corporate boards, on the other hand, are able to rally the resources necessary to mitigate relentless cyber risks. Organizations that treat cybersecurity as a business-enabler rather than a cost center are best positioned to protect their networks from ongoing threats.
  • Get senior leaders on board: Even if an organization has not suffered successive attacks (and, particularly, if it has), it's critical to elevate the risk to the C-suite and board. Explain in business terms the potential impact of unmitigated risk. For example, discuss how a successful ransomware attack would impact your ability to achieve expected financial growth, retain customers, and/or prevent negative press. Most importantly, maintain an ongoing conversation with senior leadership about your "capabilities and capacities" for effectively managing your cyber and human risk. The more often these conversations happen, the less likely an organization is to be attacked. Organizations that meet more frequently about cybersecurity have a marked and measurable decrease in security incidents compared to those who meet less.
  • Minimize the attack surface: The size and complexity of an organization's technology environment is a significant factor in repeated attacks. As companies embrace multicloud infrastructure and expand their systems' footprints, visibility across their environments is key. So, too, is patching. Leveraging threat intelligence to prioritize the most critical systems (e.g., Internet-facing with actively exploited high-risk vulnerabilities) for the most timely patching is an excellent strategy.
  • Maximize controls: As Forrester analyst and audit veteran Renee Murphy likes to say: "Trust is not a control, and luck is not a strategy."3 Instead, organizations should quantitatively assess the risks in their tech stacks as well as the capabilities and capacity of their cybersecurity teams and tools in order to close any gaps. They can leverage managed service providers or a managed security information and event management (SIEM) platform to complement internal teams and adopt cybersecurity tools that address major controls as well (Mimecast covers five of the top 12 controls required by most cyber insurance, for example). Working toward cybersecurity integration will help. Regular, quantitative validation of the organization's security posture is also advisable.
  • Test action plans: A cyberattack is a surprise, but the organizational response shouldn't be. Cyber-savvy organizations regularly test the efficacy of their incident response with tabletop and red team exercises. And they put everyone through their paces, not just the cybersecurity team but all relevant functions, such as PR, HR, legal, and operations. Organizations build their cyber resiliency over time and through frequent testing.

The Bottom Line

While any organization can fall victim to a cyberattack, best practices for addressing vulnerabilities and boosting protections across people, process, and technology can reduce the likelihood of being hit again. Read more about how Mimecast's cloud-based solutions can augment cyber defense strategies and enable greater cyber resilience.

1 "Survey reveals companies hit with cyber attacks likely to face repeated onslaughts," Cymulate

2 "Cost of a data breach 2022: A million-dollar race to detect and respond," IBM

3 "Allow Me To Introduce Myself…," Forrester

**This blog was originally published on March 21, 2023.