Analysing Business Disruption

more steps

Analysing Business DisruptionLooking at Unit 42's social engineering report
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
Analysing Business Disruption
Looking at Unit 42's social engineering report
Austin Miller
Nov 14 

READ IN APP

Digging into the abstract details of what constitutes social engineering is good for those people who want to sit around analysing, typing up reports, and then waiting for applause. As you can imagine, that’s a tempting idea for the person who writes a newsletter—believe me. However, there is another step (or, more properly, more steps) after that point before we really get into the useful stuff; before we’re actually helping people to do their jobs.
With that in mind, we should think about making our analysis concrete: what does it mean when we talk about all these social engineering attacks, all these devilishy intelligent adversaries, and all these innovative modes for undermining security? How do we communicate that to the average Joe or, even better, the person who controls the purse strings? Well, we speak in their language: how does this actually affect business operations and how is the bottom line affected?
Setting up to understand Business disruption
This, as the name suggests, is the effect on an organisation’s operations when an attack causes interruption of critical services or an impact on overall performance. It means that the business cannot carry on as usual — systems may go offline, customers may not be served and partners may be unable to connect. Unit 42 states that “other incidents interrupted critical services or affected overall organisational performance” in the context of social-engineering attacks.
High-touch social engineering is not exclusive to cybercriminal groups. Nation-state actors have long relied on human-first tradecraft to achieve strategic access, whether for espionage, surveillance or geopolitical disruption. Recent campaigns show that state-aligned intrusions increasingly mirror the same identity-centric methods seen in financially motivated operations.
Iran-affiliated Agent Serpen impersonated trusted institutions, often delivering malware via spoofed emails that mimicked legitimate document-sharing workflows.
North Korean actors have developed a distinct variation of high-touch compromise known as synthetic insiders. These campaigns involve attackers posing as job applicants, using fabricated curriculum vitae (CVs) and professional personas to secure remote employment in target organizations.
Sensitive data exposure
This factor focuses on the outcome of the attack with respect to data. The report says “over half of social engineering incidents led to sensitive data exposure.” That means that as a consequence of the social-engineering attack the adversary accessed or exposed confidential or sensitive information — whether via exfiltration, credential theft, or unauthorised system access. According to Unit 42, “social engineering attacks led to data exposure in 60% of cases” — which is significantly higher than the rate for all attacks.
Social engineering attacks led to data exposure in 60% of cases, according to our IR data. That is 16 percentage points higher when we consider cases overall. This includes:
Direct exfiltration
Indirect exposure through credential theft
Unauthorized access to internal systems
Deployment of infostealers and remote access Trojans
High-speed attacks designed to deliver high financial returns with minimal infrastructure or risk
Here the report emphasises that social-engineering attacks are attractive to adversaries because they can launch them quickly, with less need for heavy technical infrastructure (such as advanced malware campaigns or zero-day exploits). They exploit human factors, trust, and established processes. The outcome is a method that yields high returns (monetary gain, data resale, extortion) while keeping risk and overhead relatively low. The report states these attacks “are designed to deliver high financial returns while requiring minimal infrastructure or risk.”
Unit 42 is pointing out that social-engineering attacks are increasingly disruptive, frequently lead to data exposure, and efficient from the attacker’s perspective. In a strange turn of events, some efforts to curb the rise of social engineering attacks has actually led to greater innovation and adaptability from those adversarial elements in the cyber-landscape—which can only mean, ironically, that what first appeared as steps forward have, indeed, become steps back.
How is the industry reacting to this?
Firstly, let’s pause to take stock of what Unit 42 claims is the case:
The report states that in social-engineering attacks they observed a data-exposure rate of about 60% (for social engineering) compared with about 44% for all attacks.
It also highlights that these attacks are increasingly used as an initial access vector, with social engineering being common.
For business disruption overall, the broader Unit 42 IR report states that in 2024, 86% of incidents they responded to involved some kind of business disruption (operational downtime, reputational damage or otherwise).
But what is everyone else saying today? Is this really the state of play? We turn to some other sources to dig into the details.
Firstly, we want to assess the claim about the effectiveness of social engineering attacks. According to a recent summary of social engineering statistics (Secureframe), “86% of social-engineering incidents caused business disruption such as downtime or reputational damage.” To say the very least, it appears that the adversary has found a simple and effective way to undermine standard operations. Similarly, the World Economic Forum Global Cybersecurity Outlook 2025 reported that there was a sharp increase in phishing and social engineering attacks, with about 42% of organisations reporting such incidents in 2024. 
Academic research into cyber-related losses seems to largely agree, establishing that phishing, spoofing and other social engineering practices showed substantial growth rates, and that data breaches and unauthorised disclosures remain significant sources of loss across sectors.
Taking stock
The Unit 42 figure of ~60% data exposure for social-engineering attacks is credible when compared to the broader landscape, although many public sources do not always separate social engineering from other vectors. The Secureframe figure citing 86% disruption aligns with the Unit 42 disruption rate of 86% for all incident responses (though that is not limited to social engineering). What is clear from both Unit 42 and external data is that social engineering is a very effective and rising threat vector, particularly for generating disruption and data exposure.
One caveat: Unit 42’s data comes from incident responses that their team handled, which may skew toward more serious or high-impact cases, so the exposure/disruption rates may be higher than in the general population of incidents. Also, other surveys may report lower incidence rates for social engineering (for example, the WEF survey’s 42% of organisations reporting phishing/social engineering incidents,) which suggests the threat is widespread but perhaps not uniformly severe.
Another point: The notion of “high speed” attacks is supported by Unit 42 qualitative commentary (for example, they noted some compromises moved to exfiltration within hours), though quantitative external benchmarks are fewer in public literature. One Palo Alto podcast mentioned that in 25% of IR cases, from compromise to exfiltration of sensitive info was under five hours.
The Unit 42 data is consistent in direction with industry trends: social engineering is increasingly used, leads to high rates of data exposure and business disruption, and offers strong return on investment to adversaries. The quantitative values (60% exposure, 86% disruption) appear plausible, though one must remember they come from a subset of incidents handled by a particular IR group and thus may represent higher-impact cases than average.
Solutions for these problems
Given the three factors above (business disruption, data exposure, and efficient attacker model), here are solutions organisations can apply to address them:
Improve human-factor resilience
Since social engineering exploits human behaviour and trust, organisations must strengthen the human element in security. That means regular awareness training that goes beyond phishing simulations to include impersonation, voice/fake-call attacks, help-desk manipulation, and emerging AI-based lures. Also, fostering a culture where employees feel comfortable verifying unusual requests (e.g., via a separate channel) rather than complying because they believe they are speaking to a trusted person.
Implement stronger access controls and privilege management