Three-quarters of all data breaches seen in the past year involved a significant element of human error. Often times, attacks that are of the “social engineering” type involve a pretext – ie. inventing a threat scenario that tricks someone into releasing data or otherwise allowing a breach. This trend is growing and now accounts for half of all social engineering attacks, including business email compromise (BEC).
That’s one of the leading findings in Verizon’s massive annual Data Breach Investigations Report (DBIR), released June 6. The trend is “one of the most stunning changes we’ve seen year over year,” said Chris Novak, managing director of cybersecurity consulting at Verizon Business.
The analysis indicates that senior business leaders are most at risk of falling victim to this type of attack. Therefore, they represent a growing threat to the security of many organizations.
“Top managers not only hold the organization’s most sensitive information; they are often among the least protected because many organizations make special exceptions for them from security protocols,” Novak said. “With the growth and increasing sophistication of social engineering, organizations need to improve their senior management protections more urgently to avoid costly system breaches.”
The problem is rooted in financial motivation. Most of the breaches are related to fraudulent money movement, and usually “it gets paid very quickly.”
Based on data provided by the FBI’s Internet Crime Complaint Center, Verizon concludes that the average amount stolen in a BEC attack has doubled in the past year. Now it averages $50,000. This probably contributed to the increase in “pretext” incidents.
“Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data. The revenue generated from this information is staggering,” said IDC Research Vice President Craig Robinson. He also finds it problematic that the business leaders are the face and “heart” of the affected business.
Distributed work remains a challenge
The research team adds that the fact that many organizations continue to rely on a distributed workforce remains a challenge. It stands firmly in front of IT security teams and – crucially – requires the enforcement of human-centric security best practices.
Ransomware doesn’t stop
Other important findings in this year’s report include changes in the cost of ransomware incidents. They have more than doubled since 2021. According to data provided by IC3, the average loss in a ransomware incident is $26,000.
It is important to note that not all ransomware incidents have resulted in losses for the attacked organizations. Analysts note that “when adjusted for inflation, the average price (per breakout) actually fell quite significantly.”
In addition, Novak says, there is now a leveling off in the number of ransomware attacks as a percentage of all incidents and breaches over the past 12 months. This is not necessarily cause for joyful excitement.
“The reason we’re seeing this ‘leveling off’ is not that we’ve improved cybersecurity much, but that threats have reached a saturation point.” Attackers usually need people and tools to carry out their actions. Now they’ve reached a stage where they just don’t have enough people to hit (their) targets, or their tools are getting old,” he explained.
“It’s important for organizations to understand that we can’t look at these statistics and think ‘we can now focus on something else because ransomware is going away’ – unfortunately we will see an upward trajectory again in the future,” Novak added.