The Top 4 Initial Attack Vectors Prove We Have a People Problem
The Human Element of Data Breaches is EXPENSIVE
In 2021, the average cost of a data breach was $4.24 million according to a report by IBM and the Ponemon Institute. This is a 10% increase from the same report in 2019.
$4.24 million is the price tag on average when a business suffers a data breach. That is a significant amount of money for any business to lose. What makes it even scarier is that the top 4 attack vectors by cost are all human-related.
Some other startling facts about data breaches in 2021 include:
20% of the data breaches in 2021 were the result of compromised credentials. This means we still have a password problem. 1 in 5 data breaches was caused by reused credentials found on the dark web. The password problem is real.
The average cost of a data breach where work from home/remote work was a factor was $1.07 million higher than those that did not include remote work.
Healthcare continues to be a big target and had the highest cost of all verticals when it came to data breaches. The average cost of a data breach in healthcare rose to $9.23 million in 2021.
The Top 4 Initial Attack Vectors by Cost
- Business Email Compromise (BEC) at $5.01 million. Data breaches that resulted from Business Email Compromise took the top spot in 2021. This shouldn’t come as a surprise since the goal of a BEC scam is to redirect payments to cybercriminals.
BEC scams are loosely explained in this blog post about a homeowner being tricked into paying the wrong people a deposit for a new roof. Essentially a BEC scam tricks accounts payable into sending funds to a different account. The account is controlled by criminals. I think you can see where it goes from there.
BEC scams occur a lot in real estate and municipalities. That’s not to say it can’t occur in other industries. It does. Any business or agency that has accounts payable is a potential target for a Business Email Compromise.
- Phishing at $4.65 million. Phishing is like BEC in that it usually happens through email. Phishing usually attempts to trick an email recipient into clicking a link or downloading a file.
The link will likely redirect to a fake login page for a service like Microsoft and ask you to log in. Once the victim tries to log in the credentials are sent to the attackers. The credentials are now compromised.
A downloaded file from a phishing email likely contains malware or some type of malicious script that will communicate with a command-and-control server to install more malicious software and give access to an attacker.
Phishing can and does occur through other means such as text, voice calls, social media, and QR codes to name a few.
- Malicious insiders at $4.61 million. Insider threats have continued to increase. At one-time insider threats were rare. Not anymore.
Malicious insiders are typically motivated by financial gain. A well-publicized example in the Summer of 2020 occurred when a Tesla employee was offered $1.5 million to assist a cybercriminal gain access to the internal network of Tesla.
The employee did not take the cybercriminal up on the offer and instead reported the attempt to authorities. The goal of the cybercriminal was to launch a ransomware attack inside one of Tesla’s factories. Fortunately for Tesla, the attacker approached the wrong employee. The attacker was arrested when he flew from Russia to the US.
This was not a successful attack but there are lots of similar examples where the attackers were successful. This is one threat that will continue to grow and will require some creative thinking and positive workplace culture to reduce the risk.
- Social Engineering at $4.47 million. The crazy part about this number is BEC scams and phishing attacks fall under social engineering. Social engineering is the art of manipulating someone into doing something they probably wouldn’t normally do.
There are plenty of real-world examples of social engineering. If you’re at all curious about how social engineering works in the real world go to a car dealership or watch Ferris Bueller’s Day Off (a great movie by the way). Social Engineering is all around us, and sometimes it is used for malicious reasons.
The threat of cyber-attacks resulting from the human element is a very real problem, and extremely expensive. It needs to be addressed on every level of a business because attempted attacks are inevitable. Your people need to be prepared and ready to take on the fake UPS guy, the email with a fake invoice attached, or the disgruntled employee acting out of place.
Without the proper education and collaboration, your business is at a severe disadvantage. Don’t let the bad guys win.