Social Engineering Gains Lead to Spiraling Breach Costs

/in


A full three-quarters of data breaches in the last year (74%) involved the human element, mainly caused by employees either falling for social engineering attacks or making errors, with some misusing their access maliciously.

Social engineering incidents have almost doubled since last year to account for 17% of all breaches, according to Verizon’s 2023 Data Breach Investigations Report (DBIR) released June 6 (which analyzed more than 16,312 security incidents, of which 5,199 were confirmed data breaches). The report noted that this preponderance of human fallacy within incidents comes along with findings that the median cost of a ransomware attack has doubled since last year, reaching into the million-dollar range. The evidence taken together points to a gaping need for organizations to get in control of the security basics — or else face a spiraling cycle of inflation when it comes to data breach costs.

Chris Novak, managing director of cybersecurity consulting at Verizon Business, noted that in order to rein in the trend, organizations need to focus on three things: employee security hygiene, implementing true multifactor authentication, and collaboration across organizations on threat intelligence. The first is perhaps the most impactful issue, he said.

“The fundamentals need to improve, and organizations need to be focusing on cyber hygiene,” he said, during a press event in Washington DC. “It’s probably the least sexy recommendation I can give you, but it is one of the most fundamentally important things that we see organizations still missing, and of all shapes and sizes. And it’s usually because they want to focus on the new flashy technology in the industry, and they forget the basics.”

Financially Motivated External Attackers Double Down on Social Engineering

In addition to social engineering growing in volume, the median amount stolen from these attacks hit $50,000 this past year, according to the DBIR. Overall, there were 1,700 incidents that fell into the social media bucket, 928 with confirmed data disclosure.

Phishing and “pretexting,” i.e. impersonation of the sort commonly used in business email compromise (BEC) attacks, dominated the social engineering scene, the…

Source…