Phishing Tops the List as the Most Costly Initial Attack Vector in Data Breaches



Phishing as a Service KitAfter you come to grips with the massive average cost of a data breach to an enterprise organization measured in the millions, it’s time to look at the factors that increase – and lower – that cost.

According to IBM’s recently-released 18th edition of their Cost of a Data Breach Report, we find that this year’s average cost is $4.45 million. That’s a staggering number, but what about the contributing factors? What can organizations learn beyond “don’t become a victim – it’s expensive”?

Let’s take a look at the initial attack vectors to see how they affect the average cost. According to the report, data breaches that began with phishing – on the average – are more expensive, coming in at $4.76 million. Phishing represented the initial attack vector in 16% of the studied cases for this report, putting it in first place for the most common initial attack vector.

7-25-23 Image

Source: IBM

You may be wondering where’s the correlation between an initial attack vector and the cost after the dust settles. According to IBM, the average breach takes 204 days to identify and 73 days to contain – a total of 277 days. When phishing is involved, both timeframes increase – 217 days to identify and 76 days to contain. Part of this is likely due to the misuse of legitimate credentials (as the majority of phishing attacks are focused on credential harvesting). According to the report, breaches where stolen or compromised credentials was considered the initial attack vector (I’m not exactly sure how, as there was some threat action taken to steal them, but I’ll go along for the ride…), the timeframes get even longer – with 240 days to identify a breach and 88 days to contain.

But there’s more correlation around phishing and reasons for the cost of data breaches to increase. Of the 27 security measures and factors that could impact the cost of a data breach, in second place was Security Awareness Training, which reduced the average data breach cost by $232K (this, just behind using a DevSecOps approach, which had the most positive impact, reducing the cost by an average of $249K). And, as you’ve read here countless times, this kind of training is the most effective way to render phishing attacks powerless.

Looking specifically at having a trained user base and comparing it to the average data breach cost of $4.45 million, those organizations with a mature Security Awareness Training program had an average data breach cost of $3.68, while those with little to no training saw an average cost of $5.18 million.

So, I’m going to call it – even IBM sees the correlations: phishing attacks increase the cost of responding to a data breach, and having continual and effective Security Awareness Training in place significantly reduces not only your risk of experiencing an attack, but (should an attack be successful in spite of the training), also reduces the impact of one.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews