Most organizations don’t run Intrusion Detection System tools (IDS) and hope for the best. When a website gets hacked, it is usually through an upload form that allows for any content to be uploaded or a SQL injection vulnerability. Another problem is that there are a whole bunch of so-called programmers writing code they have no business writing because they aren’t qualified to write it. This creates an environment ripe for targeting with automated means when vulnerabilities are found. Most programmers have no clue these things even exist let alone how to defend against them.”]
Source: https://gizmodo.com/90-of-companies-say-theyve-been-hacked-in-last-12-mont-5814831