The extrapolated total annual cost of phishing for the average organization is more than $3.7 million, a number that could be shaved down by $1.8 million with the right training, according to findings in a recent report.
More than 375 IT and IT security practitioners in U.S. organizations were surveyed in “The Cost of Phishing & Value of Employee Training” report, which was conducted by Ponemon Institute and sponsored by Wombat Security Technologies.
In a Wednesday email correspondence, Joe Ferrara, Wombat's president and CEO, told SCMagazine.com that the biggest financial hit from phishing attacks comes from loss of productivity. According to the report, productivity losses from phishing account for more than $1.8 million.
“This is not only productivity loss for IT-related personnel, but also for the people that were phished while their machine is remediated, reimaged and recertified,” Ferrara said. The report noted that employees waste an average of roughly four hours annually due to phishing scams.
Other phishing expenses included just more than $1 million for the cost of credential compromises that are not contained, about $381,000 for the cost to contain credential compromises, roughly $338,000 for the cost of malware not contained, and approximately $208,000 for the cost to contain malware.
Training that helps employees spot phishing attacks and other related threats could help cut down costs by nearly $2 million, the report showed. Ferrara said that a continuous training methodology provides the best learning retention and results within an organization.
All companies should "use a continuous training approach that uses a repeating cycle of assessing vulnerability and knowledge, educating with engaging content, reinforcing the correct behaviors, and measuring throughout the cycle," he recommended. "This enables practitioners to look at results against initial baselines and trend progress over time while adjusting education to target the problem areas.”
