New research has identified a four-fold increase in costs incurred from phishing attacks over the past six years.
Cyber security firm Proofpoint and IT security research company Ponemon Institute have released the results of a new study on the cost of phishing attacks, which involved a survey of almost 600 IT and IT security practitioners.
According to the research, costs almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually ($1,500 per employee), up from $3.8 million in 2015.
The spike in attacks also resulted in a severe loss of productivity, with an average sized US corporation of 9,567 wasting an estimated 63,343 hours every year as a result of the attacks.
The research also highlights the value of enhancing the cyber security skills of a workforce, with security awareness training reducing phishing expenses by over 50 per cent on average.
“When people learn that an organisation paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 per cent of the cost of a ransomware attack,” Larry Ponemon, chairman and founder of Ponemon Institute, said.
“Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”
Other findings identified include:
- annual ransomware costs incurred by US organisations hit $5.66 million, of which $790,000 account for the paid ransoms themselves;
- costs for resolving malware infections have more than doubled, from $338,098 in 2015 to $807,506 in 2021; and
- the average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021;
“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said.
“Until organisations deploy a people-centric approach to cyber security that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”
News Editor – Defence and Security, Momentum Media
Prior to joining the defence and aerospace team in 2020, Charbel was news editor of The Adviser and Mortgage Business, where he covered developments in the banking and financial services sector for three years. Charbel has a keen interest in geopolitics and international relations, graduating from the University of Notre Dame with a double major in politics and journalism. Charbel has also completed internships with The Australian Department of Communications and the Arts and public relations agency Fifty Acres