News Stay informed about the latest enterprise technology news and product updates.

Report: phishing training could cut damage costs by $1.8M

A new report breaks down the potential costs associated with a phishing breach and claims that phishing training could cut those costs by as much as $1.8 million.

A new report from Ponemon Institute LLC, The Cost of Phishing & Value of Employee Training, has put a number on...

the yearly costs of phishing breaches for the average enterprise at nearly $3.8 million.

The report, sponsored by Pittsburgh-based security awareness training company Wombat Security Technologies, breaks down the cost of phishing attacks into five parts: containing the malware, remediating uncontained malware, productivity losses, containing credential compromises and remediating uncontained credential compromises. Ponemon estimates that the cost of these five steps adds up to $3.77 million per year for the average organization, but phishing training could reduce those costs by as much as $1.8 million per year.

The most costly part of a phishing attack by far, according to Ponemon, is loss of productivity at 48% of the total cost. Ponemon estimated that while 33% of employees lose less than one hour to phishing scams per year, the overall average loss due to phishing is 4.16 hours per employee, per year. Based on the average hourly rate for non-IT users of $45.80, which Ponemon calculated in a different study earlier this year, that equates to $1.82 million in lost productivity.

The second most expensive part was the cost of remediating credential compromises that were not contained. Although Ponemon estimated the likelihood of data exfiltration or business disruptions due to credential compromises to be 0.4% and 0.9%, respectively, the maximum damages for each made average costs quite high.

Ponemon put the maximum cost of data exfiltration at $105.9 million, and losses from business disruptions -- including denial of service, damage to IT infrastructure and revenue losses -- at $66.3 million. So, even with the low likelihood of these damages, the average cost still came out to be just over $1 million per year.

We believe that most phishing attacks are successful because of risky employee behaviors.
Joe Ferrarapresident and CEO of Wombat Security Technologies

However, Ponemon said there is a way to drastically cut these potential damage costs: employee training. Ponemon studied six companies, which had implemented phishing training programs for employees, and found that the long-term average net improvement per organization was 47.75%. Assuming this average improvement, organizations could save up to $1.8 million on phishing costs, the report concludes.

Other experts have said the blame for phishing attacks should not be placed squarely on the user, but should be seen as failures both for users and IT. Rick Holland, principal analyst for security and risk management at Forrester Research Inc., based in Cambridge, Mass., said the user should be the last line of defense, and organizations should hold email security vendors accountable for not catching attacks before they reach users.

Joe Ferrara, president and CEO of Wombat Security Technologies, said organizations should be building a security culture where all employees are encouraged to make secure behaviors a priority.

"We believe that most phishing attacks are successful because of risky employee behaviors," Ferrara said. "As organizations provide positive reinforcement to users who identify, avoid and report potential and actual attacks, the culture of secure behaviors will grow -- and so will an organization's defense against phishing."

Next Steps

Training is key to security risk prevention, but also be aware of the business risks of phishing attacks, how to spot and stop spear phishing and what phishing bait to use to thwart the bad guys.

Dig Deeper on Security Awareness Training and Internal Threats-Information

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your organization had phishing or security awareness training? If so, what was the result?
Cancel
We've had a couple of phishing tests done by the security team, and the rate of users clicking on phishing emails was much lower after they provided some mandatory training. 
Cancel
How often do you perform the training?
Cancel
It's definitely not bullet proof, but training is not very difficult or time consuming, so it sounds like it is definitely worth the effort. 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close