Verizon DBIR: Social Engineering Breaches Double, Leading to Spiraling Ransomware Costs

Ransomware continues its runaway growth with median payments reaching $50,000 per incident.

A bleak view of nature, seen through a hole in a wire fence in Trent Park, London
Source: Joseph Poulter via Alamy Stock Photo

A full three-quarters of data breaches in the last year (74%) involved the human element, mainly caused by employees either falling for social engineering attacks or making errors, with some misusing their access maliciously.

Social engineering incidents have almost doubled since last year to account for 17% of all breaches, according to Verizon's 2023 Data Breach Investigations Report (DBIR) released June 6 (which analyzed more than 16,312 security incidents, of which 5,199 were confirmed data breaches). The report noted that this preponderance of human fallacy within incidents comes along with findings that the median cost of a ransomware attack has doubled since last year, reaching into the million-dollar range. The evidence taken together points to a gaping need for organizations to get in control of the security basics — or else face a spiraling cycle of inflation when it comes to data breach costs.

Chris Novak, managing director of cybersecurity consulting at Verizon Business, noted that in order to rein in the trend, organizations need to focus on three things: employee security hygiene, implementing true multifactor authentication, and collaboration across organizations on threat intelligence. The first is perhaps the most impactful issue, he said.

"The fundamentals need to improve, and organizations need to be focusing on cyber hygiene," he said, during a press event in Washington DC. "It's probably the least sexy recommendation I can give you, but it is one of the most fundamentally important things that we see organizations still missing, and of all shapes and sizes. And it's usually because they want to focus on the new flashy technology in the industry, and they forget the basics."

Financially Motivated External Attackers Double Down on Social Engineering

In addition to social engineering growing in volume, the median amount stolen from these attacks hit $50,000 this past year, according to the DBIR. Overall, there were 1,700 incidents that fell into the social media bucket, 928 with confirmed data disclosure.

Phishing and "pretexting," i.e. impersonation of the sort commonly used in business email compromise (BEC) attacks, dominated the social engineering scene, the report found. In fact, pretexting gambits have almost doubled since last year and now represent 50% of all social engineering attacks.

Verizon analysts found that the vast majority of social engineering incidents were driven by financially motivated external threat actors, who were involved in 83% of breaches. In contrast, insider threats represented about a fifth of the incidents (19%, both actively malicious and inadvertent) and state-sponsored actions (usually involving espionage instead of financial gain) were involved less than 10% of the time.

Further, external actors stuck with the classics when it came to gaining initial access into organizations, with the top three avenues being using stolen credentials (49% of breaches); phishing (12%); and exploiting vulnerabilities (5%).

No wonder the report found that three-quarters of the data compromised in social engineering attacks last year were credentials to fuel additional attacks (76%) followed by internal organizational information (28%) and personal data.

Ransomware Has Yet to Hit a Wall in Growth

What's the end game for these social engineers? All too often it's an answer that's easy to guess: ransomware and extortion. It's the same story as it has been for the past few years, and, in fact, ransomware events held steady in this year's report in terms of share of breaches, accounting, like last year, for about a quarter of incidents overall (24%). This may seem like good news on the outside, but the report noted that the stat actually flies in the face of the conventional wisdom that ransomware would, sooner or later, hit a wall thanks to organizations wising up on defenses, entities refusing to pay, or law enforcement scrutiny.

None of that seems to have moved the needle — and, in fact, there's still plenty of upside for ransomware going forward, the report noted, since it hasn't hit a saturation level.

"That almost a quarter of breaches involve a ransomware step continues to be a staggering result," the report read. "However, we had been anticipating that ransomware would soon be hitting its theoretical ceiling, by which we mean that all the incidents that could have ransomware, would have. Sadly there is still some room for growth."

Overall, financial motives provided the impetus for 94.6% of breaches in the year, with ransomware present in 59% of them. A full 80% of system intrusion incidents involved ransomware, according to the DBIR, and 91% of industries have ransomware as one of their top varieties of incidents.

The ransomware economy also continues to professionalize, according to the report. When it comes to the external actors responsible for the majority of breaches, most were affiliated with organized crime; ransomware, in fact, represented 62% of all organized crime-related incidents.

Battling the Rising Tide of Ransomware & Breaches

To prevent further ransomware growth and stem the tide of breaches in general, Verizon's Novak says that organizations can focus on fairly achievable steps, given that social engineering is a linchpin to both. To wit, in addition to encouraging basic security hygiene and awareness on the part of employees, organizations need to also forge ahead with MFA and focus on honing a range of cybersecurity partnerships.

When it comes to MFA, he said that moving away from simple two-factor authentication using one-time passwords, in favor of strong authentication like FIDO2, will be game changing. FIDO2 presents authentication challenges to the user via a browser, which adds context about the challenge and then delivers it to an attached FIDO2 authenticator, which allows detection of man-in-the-middle snooping and more.

"If we can make significant strides in that, I think we can substantially knock down a lot of the belly-button [basic] breaches in terms of the human factor involvements," Novak said. "We need to be looking at other mechanisms for doing strong mutual or multifactor authentication."

Even so, he said, "I think we're nowhere near where we would love to be on FIDO2. But I think that the biggest challenge we really face in getting large scale adoption is changing the human behavior. We say 'Look, do this and you'll protect your data, you'll protect your systems, and protect your business, your livelihood.' And even still, lots of individuals are going to struggle to move in that direction."

However, the good news is that Novak noted that organizations are a bit further along on the cyber-partnership front.

"The previous mentality was that organizations really tried to do everything all in house, and I think now we are seeing the need for a higher degree of collaboration and progression," he explained. "The threat actors are doing it because it's an effective way to communicate and share information, and we can do that too. It's time to get plugged into something like a broad multiparty threat intelligence effort, helping organizations with incident response but also cultivating a strong ecosystem of partners. I think it will be extraordinarily beneficial."

This last effort can also help organizations share tips and approaches for shoring up defenses, says Bhaven Panchal, senior director of service delivery at Cyware.

"It is imperative for organizations to accelerate their security processes and plug visibility gaps in their environments," he notes. "The operationalization of threat intelligence, threat response automation, and security collaboration are going to help drive this change toward a more resilient cyberspace for all."

Sidebar: Industry Segments Most at Risk for Data Breaches

In terms of how different industries were targeted, the Verizon DBIR found that the finance and insurance segment was targeted most often, followed closely by manufacturing. Vertical stats are as follows:

  • Accommodation and Food Services • 254 incidents, 68 with confirmed data disclosure

  • Education • 497 incidents, 238 with confirmed data disclosure

  • Financial and Insurance • 1,832 incidents, 480 with confirmed data disclosure

  • Healthcare • 525 incidents, 436 with confirmed data disclosure

  • Information • 2,110 incidents, 384 with confirmed data disclosure

  • Manufacturing • 1,817 incidents, 262 with confirmed data disclosure

  • Mining, Quarrying, and Oil and Gas Extraction + Utilities • 143 incidents, 47 with confirmed data disclosure

  • Professional, Scientific, and Technical Services • 1,398 incidents, 423 with confirmed data disclosure

  • Retail • 406 incidents, 193 with confirmed data disclosure

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights