According to a survey by the UK’s National Cyber Security Centre (NCSC), 79% of cyber attacks in the UK in 2022 were attributed to social engineering. Phishing accounts for 85% of all social engineering attacks. According to a report by Proof Point, 356,472 phishing emails are sent every minute in 2023 – that’s 264 million emails per day. Another report states a more outrageous number at 3.4 billion.
A large portion of these fabricated and malicious emails are blocked by spam filters and other security measures, but not all. Some emails make it to the target. Those are usually so well crafted that they have a high success rate.
The average cost of different types of social engineering-related data breaches was $4.1 million in 2022. Even if an attack doesn’t lead to a data breach, it costs businesses an average of $130,000. These attacks are capable of putting small and mid-size companies out of business. This post will discuss the impact of social engineering attacks on businesses and their cybersecurity efforts.
Social engineering in action against tech giants
In 2018, a small group of Google employees who were responsible for managing Google’s financial accounts received an email from a senior executive. The email asked the recipients to click on a link to update their passwords. Clicking the link took them to a webpage with user input fields where they typed in their existing passwords.
This was a real-life example of a spear phishing attack on Google. The hackers fooled the unsuspecting employees by using the actual name of an executive in the phishing email. The phishing site was accurate enough to convince the employees to type their credentials in. The passwords were stolen. But Google was quick to detect the attack and prevented any major damage.
Not every target of social engineering attacks is as quick to react and remediate as Google. In 2019, Facebook employees faced a similar attack. They also typed their credentials into a phishing site resembling the Facebook login page. This breach resulted in the personal information of 50 million users being stolen.
Both attacks are examples of social engineering – they involved pretexting and spear phishing to manipulate high-value targets into divulging sensitive information. Both companies that we discussed here incorporated stricter security policies to prevent social engineering attacks. Small businesses need to be proactive in terms of securing employees and assets against different forms of social engineering.
The potential impact of social engineering attacks on a business
This section will shed light on the damage dealt by hackers employing social engineering tactics. We shall discuss how different aspects of a business can suffer from such an attack and what it could mean for the business’s future.
Socially engineered attacks exploit human psychology to bait employees into sharing private information or to manipulate them into downloading a malware payload as they click on a link or try to open an attachment. Either way, a small human error can escalate to a major data breach where financial information, PII of customers and employees, and other confidential information, including but not limited to trade secrets and intellectual properties, may be stolen, destroyed, or encrypted.
A business may suffer financial losses from multiple directions in the aftermath of an attack. The nature of the attack, the number of affected individuals, and the security measures in place prior to the attack, all play a role in the financial losses. In fact, the reputational damage following the attack can greatly impact a company’s revenue stream.
Losses through theft or fraudulent transactions
If social engineers can convince employees with privileged access to a company’s financial systems to share their credentials, they might be able to steal money directly.
Hackers may also pretend to be a vendor that has provided a service to the target company and convince the latter to wire transfer money to a fraudulent account.
Losses in penalties
The business might have to pay hefty penalties if a social engineering attack leads to a data breach that violates data privacy regulations like the GDPR. The average penalty levied by the GDPR for a data breach is 2.3 million euros.
Losses through business downtime
If an attack leads to business downtime, it may result in heavy financial losses. The average cost of business downtime caused by a cyberattack is $9000 per minute.
The financial burden of launching an investigation
If a security incident involves the loss, alteration, or unlawful disclosure of personal information, the targeted business has 72 hours from the discovery of the incident to conduct an investigation and file a report with the regional supervisory authority – the Information Commissioner’s Office (ICO) in the UK, and The Data Protection Agency in Denmark. Such investigations cost money – fees of security experts and legal teams, among other things.
Reputational damage and loss of trust
The target of a social engineering attack almost invariably loses its reputation. If a data breach is involved, customers lose trust in the business. If the attack causes business downtime and operational glitches, the business loses reliability among clients.
Impact of social engineering attacks on productivity
Both unsuccessful and successful social engineering attacks can affect the productivity of a business. On average, a business is targeted with a socially engineered attack every 12 hours. Even if such attacks fail, they keep employees guessing. Without clear policies and procedures to prevent social engineering attacks, employees are often perplexed by quid-pro-quo attacks, vishing, and spear phishing attacks. It breaks their rhythm and reduces their productivity.
In cases where cybercriminals succeed in implanting malicious software through social manipulation, businesses may face severe operational damage – in case hackers gain remote access to critical systems – and may have to direct valuable resources toward handling the incident instead of focusing on business operations.
Strategies to prevent social engineering attacks
While this article may not accommodate a detailed guide on understanding and preventing social engineering attacks, here are some key points to consider while building a strategy to prevent social engineering-related cyber security breaches.
Security awareness training for all
Employees across departments need to learn how to recognize social engineering tactics. They should also have clear guidance on how to react to phishing attempts.
Two-Factor and Multi-Factor authentication
2FA and MFA reduce the impact of password theft by adding one or more layers of security for a password-protected account.
Strict instructions to prevent tailgating
Every individual trying to access a secure physical space needs to be authenticated. No one holds the door for another.
Stringent access controls
Businesses must follow the principle of least privilege in terms of granting and revoking access to organizational assets. Using a third-party access management tool is highly recommended.
Mandatory use of a password manager
Simple and secure password management tools like Uniqkey can eliminate the human element from the authentication process with features like automated employee login, thus paralyzing all social engineering attempts against employees or employers.
Try Uniqkey for free now to neutralize social engineering attacks against your business once and for all.