A new report from Ponemon Institute LLC, The Cost of Phishing & Value of Employee Training, has put a number on the yearly costs of phishing breaches for the average enterprise at nearly $3.8 million.
The report, sponsored by Pittsburgh-based security awareness training company Wombat Security Technologies, breaks down the cost of phishing attacks into five parts: containing the malware, remediating uncontained malware, productivity losses, containing credential compromises and remediating uncontained credential compromises. Ponemon estimates that the cost of these five steps adds up to $3.77 million per year for the average organization, but phishing training could reduce those costs by as much as $1.8 million per year.
The most costly part of a phishing attack by far, according to Ponemon, is loss of productivity at 48% of the total cost. Ponemon estimated that while 33% of employees lose less than one hour to phishing scams per year, the overall average loss due to phishing is 4.16 hours per employee, per year. Based on the average hourly rate for non-IT users of $45.80, which Ponemon calculated in a different study earlier this year, that equates to $1.82 million in lost productivity.
The second most expensive part was the cost of remediating credential compromises that were not contained. Although Ponemon estimated the likelihood of data exfiltration or business disruptions due to credential compromises to be 0.4% and 0.9%, respectively, the maximum damages for each made average costs quite high.
Ponemon put the maximum cost of data exfiltration at $105.9 million, and losses from business disruptions -- including denial of service, damage to IT infrastructure and revenue losses -- at $66.3 million. So, even with the low likelihood of these damages, the average cost still came out to be just over $1 million per year.
However, Ponemon said there is a way to drastically cut these potential damage costs: employee training. Ponemon studied six companies, which had implemented phishing training programs for employees, and found that the long-term average net improvement per organization was 47.75%. Assuming this average improvement, organizations could save up to $1.8 million on phishing costs, the report concludes.
Other experts have said the blame for phishing attacks should not be placed squarely on the user, but should be seen as failures both for users and IT. Rick Holland, principal analyst for security and risk management at Forrester Research Inc., based in Cambridge, Mass., said the user should be the last line of defense, and organizations should hold email security vendors accountable for not catching attacks before they reach users.
Joe Ferrara, president and CEO of Wombat Security Technologies, said organizations should be building a security culture where all employees are encouraged to make secure behaviors a priority.
"We believe that most phishing attacks are successful because of risky employee behaviors," Ferrara said. "As organizations provide positive reinforcement to users who identify, avoid and report potential and actual attacks, the culture of secure behaviors will grow -- and so will an organization's defense against phishing."