Ironscales has published research identifying the cost to businesses of phishing.
The cost to businesses of phishing.
Ironscales published a report this week conducted by Osterman Research that details the cost of phishing to business. The purpose of the study is said to investigate “direct costs borne by organizations in mitigating the phishing threat, and to explore expectations about how phishing will change over the next 12 months.”
Phishing threats to businesses include loss of account credentials, business email compromise, and corporate data compromise. Research shows that threat levels are currently lower than they were 12 months ago, but are expected to increase again in the next year. Various dynamics of phishing attacks were said to get worse or stay the same over the past year, with 82% of respondents saying the number of phishing attacks increased or stayed the same, 80% saying the sophistication of phishing attacks increased or stayed the same, and 79% saying the ability of phishing attacks to bypass current detection mechanisms increased or stayed the same.
Phishing costs to businesses are not just financial in nature, but many security and IT teams have to dedicate time to resolve phishing attempts and attacks. 70% of organizations report spending 16 to 60 minutes on each phishing email, from discovery of the email to removal. A composite IT and security professional was found by the research to cost $136,528 in salary and benefits, and the cost of a single phishing email averaged out to be about $31.32, as the average time spent on a phishing email is 27.5 minutes. The research also found that IT and security professionals reported that phishing-related activities took up about one third of their work time, which would equate out to about $45,726 per year for the calculated composite security professional.
Phishing is expected by most organizations to increase in the next 12 months. Phishing has also expanded beyond email, as at least half of respondents report seeing phishing attacks in messaging apps, cloud-based file sharing platforms, and text messaging services. This can increase the number and sophistication of the phishing threats, and requires more time from IT and security personnel.