It’s often difficult to fully appreciate the impact of a successful cyberattack. Some consequences are clearly quantifiable, such as the size of a ransom paid. But other consequences aren’t so obvious – from a loss of customer trust and potential business to stolen data that may surface as part of another cyberattack years later. These are all elements of a cyberattack’s impact chain, which starts with the initial breach and frequently has no clear endpoint.

Cyberattacks have an array of potential causes and effects. Whether an employee falls for a phishing email or hackers crack a password, a single vulnerability can cause a devastating cyberattack that severely disrupts operations and customer experiences. One of the security team’s core responsibilities is clearly communicating these stakes to all employees – regardless of their technical background. This means demonstrating the causes and effects of real-world cyberattacks, showing employees which attack vectors and psychological vulnerabilities cybercriminals exploit and developing individual behavioral interventions to ensure that employees are learning what they need to know.

Cybersecurity is everyone’s responsibility, from the C-suite to the entry-level. By explaining the impact chain of potential cyberattacks with cybersecurity awareness training (CSAT), CISOs and other security leaders will help employees understand what’s at risk and how important they are to keeping the organization safe. This won’t just save companies from debilitating financial consequences – it will also maintain consumer trust, prevent job losses stemming from lost business and help employees protect themselves in the office and at home.

The Wide-Ranging Consequences of Cyberattacks

In September, MGM Resorts announced that it had been targeted by a cyberattack that knocked out websites for many of its properties, shut down its booking system and disrupted many customer-facing operations – from digital room keys to ATMs and slot machines. Beyond the immense and immediate frustration for many customers (some of whom had to line up for hours to receive keys), MGM also disclosed that hackers had accessed sensitive data such as Social Security Numbers, passport and driver’s license details and contact information.

The cybercriminals who launched the MGM attack used a social engineering technique called vishing, in which a hacker impersonates a real person on the phone to steal credentials and gain access to an organization’s network. Hackers found an MGM employee’s information on LinkedIn and used it to manipulate someone on the IT desk into helping them acquire credentials and infiltrate the company’s secure network. Phishing is the most common and second-most financially destructive initial attack vector – costing companies an average of $4.76 million per breach – and vishing is an increasingly effective subcategory of these attacks.

MGM expects that the September 2023 attack will cost around $100 million in lost profit. This is yet another powerful reminder that cyberattacks can have a crippling impact on everything from customer experiences and internal processes to the bottom line.

Cybercriminals Only Need one Entry Point

There are many examples of cybercriminals breaking into secure networks after gaining a single foothold, and employees are often responsible for providing initial access. In MGM’s case, an employee was fooled into providing hackers with login credentials. When Uber was hacked last year, a single contractor was responsible for the breach. After the contractor’s credentials were compromised by malware, cybercriminals sent a salvo of authentication requests, one of which the victim eventually accepted.

According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches are caused by a human element – from privilege misuse and stolen credentials to errors and social engineering. CSAT is essential for employees at every level of the company because they’re all potential targets for cybercriminals. While untrained employees are a company’s biggest cybersecurity liability, a well-trained workforce provides the most robust, distributed and adaptive defense network against evolving cyberthreats. IBM reports that employee training is among the most effective ways to reduce the financial impact of a cyberattack – more so than cybersecurity insurance, threat intelligence or even encryption.

Employees pose significant risks at every link of the cyberattack impact chain – just as training reduces the total costs of data breaches, a security skills shortage is a major factor in increasing these costs. Building these skills requires organization-wide training, which adapts to changing circumstances (such as the increasing use of AI in cyberattacks), focuses on each employee’s unique psychological profile, and maintains engagement with highly relevant and entertaining content. Companies that adopt comprehensive CSAT won’t just mitigate the financial consequences of cyberattacks – they’ll identify and prevent many of those attacks before the damage is done.

Understanding the Entire Cyberattack Impact Chain

There are two ways to assess the cyberattack impact chain: Causes and effects. To build stakeholder support for CSAT, CISOs have to show the board how much damage cyberattacks are capable of causing. Beyond the fact that the average cost of a data breach reached an all-time high of $4.45 million in 2023, there are many other repercussions: Disrupted services and operations, a loss of customer trust and a heightened risk of future attacks. CSAT content must inform employees about the effects of cyberattacks to help them understand the risks companies face.

It’s even more important for company leaders and employees to have a firm grasp on the causes of cyberattacks. Cybercriminals are experts at exploiting employees’ psychological vulnerabilities – particularly fear, obedience, craving, opportunity, sociableness, urgency and curiosity – to steal money and credentials, break into secure systems and launch cyberattacks. Consider the MGM attack, which relied on vishing – one of the most effective social engineering tactics, as it allows cybercriminals to impersonate trusted entities to deceive their victims.

Vishing attacks leverage many of the vulnerabilities listed above. When cybercriminals impersonate authority figures to threaten and coerce employees, these attacks exploit their fear, obedience and sense of urgency. Psychological susceptibilities like these are critical links in the cyberattack impact chain, so they must be addressed with consistent and effective CSAT. It isn’t enough for CISOs and other company leaders to inform employees about the most urgent cyberthreats they face and hope for the best. CSAT has to be operationalized around personalization, engagement and accountability. Each employee’s specific behavioral patterns must be addressed; content should be clearly connected to employees’ individual roles, the tactics cybercriminals deploy and the most effective defense mechanisms; and companies should consistently track employee performance and conduct organization-wide assessments of their cybersecurity readiness.

When companies focus on the full cyberattack impact chain, they will have a better understanding of why cyberattacks succeed and what risks they pose. While this awareness helps CISOs, company leaders, and employees prepare for the potential aftermath of a cyberattack, it serves a more fundamental purpose: It stops cyberattacks from succeeding in the first place.