The large, less obvious costs of phishing attacks on organisations - report
Cybersecurity and compliance company Proofpoint and the Ponemon Institute, an IT security research organisation, have released the results of a new study on the cost of phishing.
The report finds the cost of phishing attacks has almost quadrupled over the past six years, with large U.S. companies losing an average of $14.8 million annually (or $1,500 per employee), up from $3.8 million in 2015.
The study, which surveyed nearly 600 IT and IT security practitioners, found the most expensive threats to businesses include BEC and ransomware attacks. It also found the costs extend far beyond the funds transferred to attackers.
"When people learn an organisation paid millions to resolve a ransomware issue, they assume that fixing it cost the company only the ransom," says Ponemon Institute chairman and founder, Larry Ponemon.
"We found that ransoms alone account for less than 20% of the cost of a ransomware attack. Because phishing attacks increase the likelihood of data breaches and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.
Credential compromise (credential theft) typically precedes attacks like BEC and ransomware, often in the form of an employee being "phished" into giving up their login credentials. According to the Anti-Phishing Working Group (APWG), phishing is a crime employing both social engineering and technical subterfuge to steal personal identity data and financial account credentials. The APWG estimating phishing attacks doubled in 2020 alone.
Some key findings from the report include:
- Loss of Productivity. For an average-sized U.S. corporation, this translates to 63,343 wasted hours every year. Each employee wastes an average of seven hours annually due to phishing scams, an increase from four hours in 2015.
- Business Email Compromise. This costs nearly $6 million annually for a large organisation. Of that, illicit payments made annually to BEC attackers are $1.17 million.
- Ransomware annually costs large organisations $5.66 million. Of that, $790,000 accounts for the paid ransoms.
- Security Awareness Training reduces phishing expenses by more than 50% on average.
- Costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve a malware attack is $807,506 in 2021, an increase of $338,098 in 2015.
- Credential compromise costs have increased dramatically since 2015. As a result, organisations are spending more to respond to these attacks. The average price to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organisations experienced an average of 5.3 compromises over 12 months.
Proofpoint says business leaders should pay attention to probable maximum loss scenarios. For instance, BEC attacks could incur losses from business disruptions of up to $157 million if organisations aren't prepared. Malware resulting in data exfiltration could cost businesses up to $137 million.
"Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware," says Proofpoint executive VP of cybersecurity strategy, Ryan Kalember.
"Until organisations deploy a people-centric approach to cybersecurity including security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.