A global survey of 1,917 IT security practitioners published today found 62% reported that cyberattacks are becoming more sophisticated, with more than half (55%) also noting attacks are becoming more severe in terms of an increase in the time it takes to investigate and attempt to mitigate the damage inflicted.

Conducted by Ponemon Institute on behalf of Barracuda Networks, the survey also found more than half of respondents (53%) agreed that cyberattacks are becoming more targeted.

Overall, the report finds organizations are spending an average of $5.4 million to respond to compromises, with $2.36 million directly attributed to disruption of operations.

A majority (57%) of respondents reported their organizations suffered one or more cyberattacks in the past 12 months, with nearly half (48%) reporting their organization suffered a data breach in the past 12 months and lost, on average, 340,267 individual records.

Barracuda Networks CTO Fleming Shi said the report makes it clear it’s relatively easy for cybercriminals to succeed. It only takes a proficient attacker roughly six hours to exploit a vulnerability, compared to 427 hours an organization will spend investigating, cleaning, fixing and documenting successful phishing attacks over the last year, the report noted. On average, a single attacker can launch 21 attacks a day.

Attackers are only going to become more efficient as they embrace generative artificial intelligence (AI) to craft their attacks, noted Shi.

As such, organizations need to focus on becoming more resilient by improving their ability to recover from attacks that are only going to increase in volume and sophistication, he added.

The most common types of attacks involved denial-of-service (52%), phishing/social engineering (48%) and credential theft (41%). However, the costliest attacks cited involved target-specific exploits (58%), attacks against application programming interfaces (APIs) (55%), zero-day exploits of widely used software (52%) and weak authentication attacks (49%).

A full 81% said these attacks involved ransomware, with 61% electing to pay the ransom. The highest amount paid for a ransomware attack, on average, is $1.38 million.

Despite these ongoing attacks, however, only 43% described their ability to mitigate risks, vulnerabilities and attacks across the enterprise as very or highly effective. While 90% said their organization has a security incident response plan, only 50% say it is applied consistently across the enterprise.

Top impediments to achieving that goal are inadequate IT security budgets (55%), inconsistent enterprise-wide security policies and programs (42%), lack of inventory of third parties with access to sensitive and confidential data (38%), poor or no visibility into the organization’s networks and applications (37%) and difficulty securing the supply chain (32%).

Obviously, cybersecurity is a never-ending battle between the forces of good and evil. Unfortunately, the latter have a lot more resources at their disposal than the average organization. The one thing that is certain is that as more attacks are launched, the probability that more of them will succeed only increases. After all, the attacker only has to be right once compared to a defender that increasingly can’t afford to be wrong.