Report Reveals Soaring Costs and Frequency of Social Engineering Attacks


Verizon Business unveiled the findings of its 16th annual Data Breach Investigations Report, indicating a skyrocketing trend in both the frequency and cost of ransomware attacks on businesses. The report, which scrutinized 16,312 security incidents and 5,199 breaches, identified ransomware as one of the top cyberattack methods, involved in nearly a quarter (24%) of all breaches.

Ransomware, malicious software that locks an organization’s data and then demands large ransoms to unlock it, has seen a considerable spike in cost. The median cost of ransomware incidents has more than doubled in the past two years to $26,000, with losses in 95% of incidents ranging from $1 to $2.25 million. This startling rise coincides with a surge in the number of ransomware attacks, which have been more frequent over the past couple of years than the previous five years combined.

Another key finding of the report was the continuous role of the human element in security incidents. Despite enterprises investing heavily in cybersecurity protocols and infrastructure protection, human involvement still factored into 74% of all breaches. The most common exploitation of this human vulnerability is through social engineering, which manipulates an organization’s sensitive information using tactics such as phishing.

Chris Novak, Managing Director of Cybersecurity Consulting at Verizon Business, said: “Senior leadership represents a growing cybersecurity threat for many organizations,” adding: “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them. With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”

Similar to ransomware, social engineering proves highly profitable for cybercriminals, especially as these techniques are frequently used to impersonate employees for financial gain. This method, known as Business Email Compromise (BEC), has seen its median losses increase to $50,000 USD over recent years. As BEC grows, enterprises, particularly those with distributed workforces, face the challenge of creating and enforcing human-centric security best practices.

This year’s DBIR offered additional insights into threat actor motivations and techniques. Contrary to the heavy media focus on espionage, a mere 3% of threat actors were driven by espionage, while a significant 97% were motivated by financial gain. It was also noted that external actors used a range of techniques to infiltrate organizations, including stolen credentials (49%), phishing (12%), and exploiting vulnerabilities (5%).

To secure their critical infrastructure, businesses can adopt industry-leading protocols and practices. An example of such an initiative is the Mutually Agreed Norms for Routing Security (MANRS), which aims to reduce common routing threats exploitable by attackers. Verizon recently became the first nationwide telecom provider to participate in MANRS, thereby demonstrating its commitment to preventing cyber incidents for customers on its network.

Image: Depositphotos

Joshua Sophy Joshua Sophy is the Editor for Small Business Trends and has been a member of the team for 16 years. A professional journalist with 20 years of experience in traditional media and online media, he attended Waynesburg University and is a member of the Society of Professional Journalists. He has held roles of reporter, editor and publisher, having founded his own local newspaper, the Pottsville Free Press.