Fresh data on data breach costs from IBM show phishing, business email compromise, and stolen credentials take the longest to identify and contain.
There are tangible repercussions of allowing your organization to succumb to a data breach that starts with phishing, social engineering, business email compromise, or stolen credentials – according to IBM’s just-released 2022 Cost of a Data Breach report.
According to the IBM report, the average cost of a data breach in 2022 is $4.35 million, with an average of 277 days to identify and contain the breach. The following are the average data breach costs based on the initial attack vector:
- Phishing – $4.91 million
- Business Email Compromise – $4.89 million
- Stolen Credentials – $4.50 million
- Social Engineering – $4.10 million
Why so much? A lot of it has to do with how long threat actors act undetected as they move laterally within your environment, gain access to credentials and data, and exfiltrate your valuable data.
According to the report, the longest times are attributed to attacks that involve your users:
With the average number of days to detection and containment being 277, it’s evident that stolen credentials, phishing, and business email compromise (the attack vectors your users play a role in!) push those numbers up, giving attackers an additional 1-2 months to continue their malicious activities.
- Employee security awareness training can cover 49% of the breach types
- Employee training saves $247K in terms of data breach impact cost
- Breaches in the public cloud are costliest for the organizations that don’t invest in employee training and expect public cloud providers to take care of breaches.
We already know that phishing and BEC attacks focus on either stealing credentials or infecting endpoints, putting the user receiving the malicious email, phone call, text, etc., squarely in the middle of the discussion that results in these massive data breach costs.
Users need to play a role in your security strategy to help mitigate the risk of successful attacks. Security Awareness Training can teach your users how to identify suspicious content in email and on the web, helping to avoid any interaction that could result in a data breach.
Information in this article was provided by our partners at KnowBe4.