Phishing is a $3.7-million annual cost for average large company

The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks

The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks, according to a new report from the Ponemon Institute.

The report, which surveyed 377 IT professionals in companies ranging in size from less than 100 to over 75,000 employees, showed that about half of the costs were due to productivity losses.

The average employee wastes 4.16 hours a year on phishing scams.

In addition, 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential, 10 percent was the direct costs of addressing compromised credentials, 9 percent was the risk of a data breach caused by malware, and the remaining 6 percent were the direct costs of containing malware.

"Everyone understands the cost of a breach, and one of the biggest threat vectors is phishing," said Joe Ferrara, CEO at Wombat Security Technologies, which sponsored the report.

According to the latest Verizon data breach report, phishing is the second most common threat vector, implicated in around a quarter of all data breaches last year.

"But I don't think anyone really had a handle on all the costs layered into it," said Ferrara.

But the Ponemon report wasn't all bad news. Companies can substantially reduce their phishing-related costs with employee education, such as the automated training offered by Wombat, which was spun off from Carnegie Mellon's CyLab cyber security research center.

Companies who roll out training programs see improvements of between 26 and 99 percent in their phishing email click rates, with an average improvement of 64 percent, according to Ponemon.

Adding in a 25 percent drop in retention, Ponemon calculated a phishing-related cost savings of $188 per user for the average company.

This translates to $77 per user for the lowest-performing training program.

At a cost of less than $4 per employee, that results in a 20-fold return on investment over a year from the worst-performing training program, and a 50-fold return from the average program.

This calculation does not include the training time, however. According to Ferrara, it takes a user about 30 minutes to go through all three of the company's anti-phishing training modules, and the "teachable moment" of interacting with a simulated phishing email is under a minute.

With that adjustment, the total savings drops to around $137 for the average training program, and $24 for the least effective one, making for a 37-fold and seven-fold return on investment, respectively.

"The important thing to keep in mind is that the potential loss after a phishing attack is far greater and far more devastating than just the loss of productivity," Ferrara added.

A good way to get employees motivated to do the training is to first run a simulated phishing attack, said Ferrara.

Not only does that provide a baseline metric for how often phishing emails are clicked on, but it also demonstrates to employees that they are vulnerable.

"We had a customer who ran a simulated attack against their IT organization and they had a huge failure rate -- it was a real eye-opener for them -- more than 50 percent of the people failed," said Ferrara. "We used that as motivation to get them to take training. As long as you don't hammer them over the head or belittle them, you can get a great response."

Join the CSO newsletter!

Error: Please check your email address.

Tags emailphishing

More about CSOMellonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place