Connecting the Dots: The Human Factor and the Cost of Cybercrime

Share with your network!


The recently published 2017 Cost of Cyber Crime Study from Ponemon Institute and Accenture delivered some sobering statistics:

  • Organizations pay an average annualized cost of $11.7 million* to deal with cybercrime (up 23% from the prior year).
  • Organizations are dealing with an average of 130 successful security breaches each year (an uptick of 27% year over year)
  • The average cost of cybercrime has risen by 62% since 2013.


Though the news may be a bit anticlimactic for the infosec professionals who are battling in the cyber trenches day in and day out, these significant increases are bad news indeed as they offer clear indication that, globally, we are losing the war on cybercrime. As the study noted, the attackers are getting smarter and more organized, and are “finding it easier to scale cybercrime globally.”

And while technology certainly plays a role in these economies of scale, the 2017 edition of The Human Factor, a report by cybersecurity company Proofpoint, offers evidence that cybercriminals are putting the big money on scaling social engineering–based attacks. In other words, they’re relying more heavily on individual human actions rather than automation and opportunistic vulnerability exploits.  


We dug into some the common themes of these two reports — namely, phishing/social engineering, malware, and ransomware — to get some insights on where the twain meet.

The Human Phishing Factor: By the Numbers

  • 99% of financial fraud emails relied on end-user clicks rather than automated exploits for malware installation.
  • Business email compromise (BEC) attacks accounted for 42% of financial fraud emails in 2016 (up from just 1% in 2015).
  • By the end of 2016, 99% of attachment-based phishing attacks were launched by user clicks instead of automated exploits.
  • 90% of URL-based email attacks were linked to credential phishing pages rather than exploit kits.
  • Ransomware accounts for approximately 70% of all identified malware variants in infected attachments, far outpacing all other categories combined.


The Cost of Phishing, Malware, and Ransomware: By the Numbers

Annualized Cost by Attack Type

  • Malware: $2.4 million
  • Phishing and social engineering: $1.3 million
  • Ransomware: $533,000

Annualized Cost Weighted by Attack Frequency

  • Phishing and social engineering: $106,000
  • Ransomware: $83,500
  • Malware: $6,000

Length of Time to Resolve an Attack in Days

  • Ransomware: 23.1
  • Phishing and social engineering: 20.0
  • Malware: 6.4


See how our customers are using our security awareness training products to change behavior and reduce risk.


Attack the Human Risk to Lower Cybercrime Costs

As the Proofpoint report indicates, human actions are increasingly at the root of cybersecurity issues. And as the Ponemon report shows, the cost of those cybersecurity issues is rapidly increasing. Changing employee behaviors can help organizations reduce the costs associated with detection, investigation, remediation, and response to these successful attacks.

The key is to move the dial not only on awareness of social engineering attacks, but on identification and avoidance. Recognizing that a threat exists is not the same as having the knowledge of the cybersecurity best practices that can help prevent clicks, infections, and credential compromise.

Wombat customers that have used our industry-leading Continuous Training Methodology have experienced up to a 90% reduction in successful external phishing attacks and malware infections. Our security awareness training approach is effective because it allows organizations to build a culture of security, which is critical to making cybersecurity an organization-wide pursuit.

Large organizations worldwide — including BT — are increasingly recognizing the need to elevate the discussion, to “see cybersecurity as an opportunity a business unit, not a cost center” and actively involve end users in risk management activities. A solid, ongoing commitment to end-user security awareness and training can help you reduce the number of successful attacks your organization experiences and, as a result, reduce the costs associated with incident response.


* All costs noted are in US dollars.