Continuing coverage of IBM’s recently-released Cost of a Data Breach report, we focus on the impact attacks involving social engineering have on data breach costs.
There are two reports every year that we cover on this blog that you should be reading – Verizon’s Data Breach Investigations Report and IBM’s Cost of a Data Breach report. Each of these reports has been published for years, providing insight into how the state of data breaches are changing. In IBM’s case, we see how the costs associated with detecting and remediating data breaches changes.
In their most recent report, we find that the average data breach costs an organization $4.45 million, taking an average of 204 days to identify the breach and 73 days to contain it. I recently pointed out that data breaches involving phishing are the most costly, but IBM also makes it clear that when social engineering is used (whether via email, the web, voice, or text as the delivery medium), there are some additional negative consequences:
- The cost of the breach increases as well to the tune of another $100,000 on average
- The number of days it takes to identify a breach jumps to 234 – likely because either the social engineering is either working to harvest internal credentials or persuade the victim user to take action on the threat actor’s behalf (in either case, threat actions look legitimate because they’re being done using a valid user’s credentials)
- The number of days it takes to contain a breach increases to 80 days
Don’t discount the power of social engineering; tricking users into giving up credentials or performing an action that benefits the cybercriminal may be the difference between a successful and a failed cyberattack. The most effective tool in combating social engineering is security awareness training that continually teaches users how to see manipulative requests for what they are, making the user the line of defense where an attack stops.