millions of personal data were stolen and the total cost and risk coverage can go up to 1 billion dollars
3. once you are in the network through a vulnerable web application that has connections to the rest of the network (why don't you host your webapplications far away from your network with no connections to it ?
4. he goes immediately to your Active Directory to look for the groups of administrators that have full access to the network (how do you log access to this active directory and has everybody the right to view everything ?)
5.once the administrators are identified you look on the network for their machine and tries to steal their token if they don't use physical double authentification (why spend money if nobody makes it an obligation ?)
6. now you go back to the Active Directory and you make yourself administrator
now you are administrator and you can infect other machines that are accessing other parts of the network or have more rights even if you can create as many rights as you want in the Active Directory because nobody is looking at the logs (because there are so many of them)
last remark how many machines have access for FTP without limitation in your network (normally that should be none and if they have FTP than that should be to specific sites at specific working days)