Proofpoint Inc, a cybersecurity and compliance solutions company, and Ponemon Institute, a top IT security research organisation, have released the results of a new study on the Cost of Phishing. The report has revealed that the cost of phishing attacks have almost quadrupled over the past six years, with large US companies losing an average of US$14.8 million annually (or US$1,500 per employee), up sharply from 2015’s figure of US$3.8 million.
According to the study, which surveyed nearly 600 IT and IT security practitioners, the most expensive threats to businesses include BEC and ransomware attacks. But the costs to organisations extend far beyond the funds transferred to the attackers.
“When people learn that an organisation paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20% of the cost of a ransomware attack,” said Larry Ponemon, Chairman and Founder, Ponemon Institute. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”
Credential compromise (credential theft) generally precedes attacks like BEC and ransomware, usually in the form of an employee being “phished” into giving up their login credentials. According to the Anti-Phishing Working Group (APWG), phishing is a crime employing both social engineering and technical subterfuge to steal personal identity data and financial account credentials. The growth of phishing is not gradual – it’s growing exponentially, with the APWG estimating that phishing attacks doubled in 2020 alone.
Other key findings from the 2021 Cost of Phishing report include:
- Loss of productivity is one of phishing’s costliest outcomes. In an average sized US corporation of 9,567 people, this translates to 63,343 wasted hours every year. Each employee wastes an average of seven hours annually due to phishing scams, an increase from four hours in 2015
- Business email compromise costs nearly US$6 million annually for a large organisation. Of that, illicit payments made annually to BEC attackers is US$1.17 million. Ransomware annually costs large organisations US$5.66 million. Of that, $790,000 accounts for the paid ransoms themselves.
Security Awareness Training reduces phishing expenses by more than 50% on average.
Costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks is US$807,506 in 2021, an increase from US$338,098 in 2015.
Credential compromise costs have increased dramatically since 2015. As a result, organisations are spending more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from US$381,920 in 2015 to US$692,531 in 2021. Organisations experienced an average of 5.3 compromises over a 12-month period.
Business leaders should pay attention to probable maximum loss scenarios. For instance, BEC attacks could incur losses from business disruptions of up to $157 million if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses up to US$137 million.
Emile Abou Saleh, Regional Director, Middle East and Africa, Proofpoint, added: “In the Middle East, our recent research revealed that CISOs in the UAE and KSA feel at a risk of suffering material cyberattacks in the next 12 months, with phishing being a concern for nearly one third of CISOs. It is therefore crucial for organisations in the Middle East to build a culture of cybersecurity among their employees by putting in place cybersecurity awareness training to understand how security policies affect their day-to-day work.”
“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, Executive Vice President, Cybersecurity Strategy, Proofpoint. “Until organisations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”