Phishing-Based Data Breaches Take 295 Days to Contain and Breach Costs Soar to $4.91 Million

Fresh data on data breach costs from IBM show phishing, business email compromise, and stolen credentials take the longest to identify and contain.

There are tangible repercussions of allowing your organization to succumb to a data breach that starts with phishing, social engineering, business email compromise, or stolen credentials – according to IBM’s just-released 2022 Cost of a Data Breach report. Phishing and social engineering go hand-in-hand, with business email compromise and stolen credentials being outcomes of attacks, used as launch points for further malicious actions.

According to the IBM report, the average cost of a data breach in 2022 is $4.35 million, with an average of 277 days to identify the breach and contain it. That’s actually the good news. Why, you ask? Because when you factor in the initial attack vector, it gets worse.

According to IBM, the following are the average data breach costs based on the initial attack vector:

  • Phishing – $4.91 million
  • Business Email Compromise – $4.89 million
  • Stolen Credentials – $4.50 million
  • Social Engineering – $4.10 million

Why so much? A lot of it has to do with how long threat actors act undetected as they move laterally within your environment, gain access to credentials and data, and exfiltrate your valuable data.

According to the report, the longest times revolve around attacks that involve your users:

With the average number of days to detection and containment being 277, it’s evident that stolen credentials, phishing, and business email compromise (the attack vectors your users play a role in!) push those “rookie numbers” up, giving attackers an additional 1-2 month’s time to continue their malicious activities.

Additional takeaways:

  • Employee security awareness training can cover 49% of the breach types
  • Employee training saves USD $247K cost in terms of data breach impact cost (Page 20)
  • Breaches in the public cloud were costliest for organizations that don’t invest in employee training and expect public cloud providers to take care of breaches.

We already know that phishing and BEC attacks focus on either stealing credentials or infecting endpoints, putting the user receiving the malicious email, phone call, text, etc. squarely in the middle of the discussion that results in these massive data breach costs.

Users need to play a role in your security strategy to help mitigate the risk of successful attacks through continual Security Awareness Training that teaches them how to identify suspicious content in email and on the web, helping to avoid any interaction that would result in a data breach.

Stu Sjouwerman
About the Author
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.