Organizations spend a significant amount of money on security tools. All of the firewalls and antimalware solutions in the world, though, offer little protection against a phishing attack that tricks an authorized user into downloading malicious software or compromising credentials. Phishing attacks are becoming more effective and more costly as time goes on.
The Ponemon Institute recently published a report titled Cost of Phishing and the Value of Employee Training that illustrates the concerning trends behind phishing. Ponemon researchers surveyed 377 IT and IT security professionals from organizations throughout the United States to learn more about the financial consequences of phishing scams and the financial impact phishing has on employee productivity. Nearly 40 percent of survey respondents represent companies of 1,000 or more employees.
The report analyzes a few different elements—both direct and indirect—of a phishing attack. Ponemon weighed the cost to contain malware, the cost of malware that is not contained, lost productivity, the cost to contain credential compromises, and the cost of credential compromises that are not contained. The Ponemon report derives, “Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in our sample totals $3.77 million.”
$3.77 million? Does your organization have $3.77 million of the annual budget allocated to defending against phishing attacks or a spare $3.77 million lying around with nothing better to do?
The most expensive part of the cost of a phishing attack is the lost employee productivity, which includes the time it takes to view and reject phishing emails as well as time involved remediating a successful phishing attack. According to Ponemon lost productivity makes up 48 percent of the total.
Based on the survey results Ponemon determined that the average employee devotes just over 4 hours per year to phishing related activities. The report extrapolates that to cost over $1.8 million per year, but that figure is based on assumptions about the size of the organization and average hourly rate of pay. That figure could be higher or significantly lower for your organization. You can use the estimate of 4 hours of wasted productivity per employee per year and do the math to figure out what the financial impact to your organization looks like.
The bottom line is that defending against phishing attacks and dealing with the fallout of successful phishing scams is expensive. Thankfully there are some things you can do to minimize those costs.
First of all, you should have a spam filter capable of sifting out the vast majority of phishing emails. The more phishing emails you can prevent from getting to employees’ inboxes the less time those employees will have to invest in viewing and deleting them, and the less risk your organization faces from an employee falling victim to a phishing attack.
You should also conduct security awareness training for your users. Make sure they understand what a phishing attack is and that they know what to look for to avoid suspicious emails and phishing scams.
If you can minimize the number of phishing emails that make it to the end user in the first place, and have employees who are trained to recognize and avoid phishing attacks you can greatly reduce the financial impact that phishing has on your organization.