A global survey of 2,000 senior security decision-makers in organizations with between 50 and 2,000 employees finds well over a third (38%) of those who were impacted by a data breach caused by a ransomware attack were victimized multiple times in the last 12 months.

Conducted by the market research firm Vanson Bourne on behalf of Barracuda Networks, the survey finds 57% of respondents work for organizations that were impacted by ransomware, with nearly a third (32%) having to pay attackers to recover or restore data.

Unfortunately, the survey also finds that 41% of those who paid a ransom failed to recover all their data.

On the plus side, nearly two-thirds of organizations hit by ransomware attacks were able to recover data from their backup platforms.

Adam Khan, vice president of global security operations (SecOps) for Barracuda Networks, said that while a lot of progress has been made when it comes to thwarting these types of attacks, it’s apparent many organizations lack the level of cyber resilience needed to reduce the likelihood they will be victimized. Many of the organizations that were victimized, however, didn’t lack for tools and platforms so much as an overall strategy, he added. For example, nearly three quarters (74%) of repeat victims say they are juggling too many security tools, with 61% noting those tools are not integrated. The most widely deployed security measures are email security (52%), network security (52%) and security awareness training (48%).

Less than half (47%) of the ransomware victims, however, had implemented an email security solution, compared to 59% of non-victims, even though email remains a primary attack vector for ransomware attacks. A full 71% of organizations that experienced an email breach were also hit with a ransomware attack, the survey finds.

The survey also notes that just under a quarter (24%) of the ransomware incidents involved data encryption, compared to simply stealing (27%) and publishing data (27%), infecting devices with other malicious payloads (29%) or installing backdoors to provide access at a later time.

It’s not clear why organizations that were victimized once were not able to put the measures in place needed to thwart additional attacks. Too many organizations continue to simply assume that the platforms they are relying on have some built-in level of security, said Khan. That blind faith then creates a false sense of security that isn’t realized until there is an actual breach, he added.

The challenge is the blast radius created by those breaches continues to increase. For example, 41% of respondents said their organization experienced reputational harm as the result of a ransomware attack, followed by loss of new business opportunities (25%), loss of existing customers (25%) and payment pressure tactics that included threatening partners, shareholders and customers (22%), and employees (16%).

In general, organizations would be well advised to not become too complacent even if it appears ransomware attacks are declining, said Khan. Cybercriminals are constantly evolving tactics and techniques that could either lead to another surge of attacks using, for example, deepfake technologies and other artificial intelligence (AI) technologies to not only commit fraud but also steal data.

Ultimately, it’s not likely organizations will be able to thwart every type of attack. The challenge is making sure that once there is that inevitable successful attack the organization is resilient enough to recover in a way that minimizes as much as possible the total cost of the breach.