US companies lose $14.8 million annually to phishing attacks
But business email compromise (BEC) and ransomware attacks remain the most expensive threats
The new study by Ponemon Institute found that the most expensive threats to businesses include business email compromise (BEC) and ransomware attacks. However, in BEC attacks, payments to hackers made up less than 20% of the total costs.
The survey of IT security practitioners found loss of productivity was one of phishing’s costliest outcomes. In an average-sized US corporation of 9,567 people, this translates to 65,343 wasted hours every year. Each employee loses an average of seven hours annually due to phishing scams, an increase from four hours in 2015, according to the study.
The Cost of Phishing report also found that the costs for resolving malware infections have more than doubled since 2015. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.
BEC costs organizations an average of $5.96 million annually — only $1.17 million of that are payments organizations make to BEC attackers. The report added that BEC attacks could result in losses of up to $157 million from business disruptions if organizations aren’t prepared. Malware resulting in data exfiltration could cost businesses $137.2 million.
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityFree download
The report also found the average cost of ransomware last year was $5.66 million, and 17.6% of those attacks stemmed from phishing. The report said employee training and awareness programs on the prevention of phishing attacks can reduce costs. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.
The survey also found that credential compromises have increased, forcing organizations to spend more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period, the report said.
Ryan Kalember, executive vice president of cyber security strategy at Proofpoint, said with threat actors now targeting employees instead of networks, credential compromise has exploded, “leaving the door wide-open for much more devastating attacks like BEC and ransomware.”
“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue,” Kalember added.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download