Phishing attacks cost US businesses $14.8m annually: Ponemon Institute

The findings of a new research on the cost of phishing were revealed by Proofpoint and the Ponemon Institute. According to the research, the cost of phishing attacks has nearly tripled in the last six years, with major US firms losing an average of $14.8 per year (or $1,500 per employee), up from $3.8m in 2015.

According to the study, which surveyed nearly 600 IT and IT security practitioners, the most expensive threats to businesses include business email compromise (BEC) and ransomware attacks. However, the consequences to organisations extend far beyond the funds transferred to the attackers.

“When people learn that an organisation paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 per cent of the cost of a ransomware attack,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”

Credential compromise (credential theft) generally precedes attacks like BEC and ransomware, usually in the form of an employee being “phished” into giving up their login credentials.

Other key findings from the 2021 cost of phishing report include loss of productivity which is one of phishing’s costliest outcomes. This equates to 63,343 lost hours per year in a typical US business of 9,567 employees. Due to phishing scams, each employee wastes an average of seven hours each year, up from four hours in 2015. In addition, BEC costs a major organisation about $6m each year. While ransomware costs major businesses $5.66m per year, security awareness training cuts phishing costs by more than half on average.

Emile Abou Saleh, regional director, Middle East and Africa for Proofpoint, added: “In the Middle East, our recent research revealed that CISOs in the UAE and KSA feel at a risk of suffering material cyberattacks in the next 12 months, with phishing being a concern for nearly one third of CISOs. It is therefore crucial for organisations in the Middle East to build a culture of cybersecurity among their employees by putting in place cybersecurity awareness training to understand how security policies affect their day-to-day work.”

“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, executive vice president of cybersecurity strategy, Proofpoint. “Until organisations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”

Earlier this month, Proofpoint released its annual human factor report, which examines three primary elements of user risk—vulnerability, attacks, and privilege—as well as how the exceptional events of 2020 shifted the threat environment.

Read: Human factor report reveals how 2020 transformed today’s threat landscape

According to the research, ransomware was omnipresent, with more than 48 million messages containing malware capable of being used as an entry point for ransomware attacks. Email remains a crucial part of these attacks, serving as the route through which much of the first-stage malware used to download ransomware is distributed.

Credential phishing—both consumer and corporate—was by far the most common form of cyberattack, accounting for two-thirds of all malicious messages.

Of all phishing methods, attachment proved the most successful, with an average of one in five users clicking.