Phishing is a variant form of cyberattack that all organizations and, hopefully, a majority of employees know about. However, as awareness grows, bad actors are sophisticated enough to adapt new tactics to blend in more easily and have their emails look like an exact clone of one someone might receive from Amazon, Walmart or Netflix.
The result of clicking on that link is still the same. The bad actors are granted access to important company data and credentials, which is potentially costly for organizations. That is why one-third of organizations indicate phishing is a threat or sometimes even an extreme threat due to the consequences such as loss of account credentials, business email compromise and data theft, according to “The Business Cost of Phishing.”
Handling a single phishing email comes with two costs, naturally – time and financial impact. The monetary cost is $31.32, on average, per phishing message, and around 70% of organizations in the report say they spend 16 minutes to an hour dealing with one message. To put the monetary cost into a total for the year, organizations with 25 IT and security professionals spend more than $1 million per year to handle phishing.
“Organizations of all sizes and across all geographies continue to struggle with the impact of phishing attacks,” said Ian Thomas, vice president of product marketing at IRONSCALES, which commissioned the research. “This new report quantifies this impact in terms of the time and energy required to defend against the never-ending and ever-evolving onslaught of these attacks.”
Yes, these attacks are never-ending. Most respondents expect the impact of phishing to get worse over the next 12 months, with two-thirds of organizations expecting the time spent on phishing per week for IT and security teams to stay the same or increase.
Organizations are worried because phishing messages have spread to tools other than email. These include messaging apps, cloud-based file sharing platforms and text messaging services. At least half of companies see phishing attacks in these other communication and collaboration tools, and 40 percent see them on social media, video conferencing/online meeting platforms and collaboration platforms such as Microsoft Teams and Slack.
Similar to email, they come in a form that looks legit. As phishing spreads to these new tools, IT and security professionals will spend more time addressing threats and seeking to eradicate threat actors from their other services
What can companies do to shield up against the barrage of phishing messages? First and foremost, they should gauge phishing awareness among employees using surveys and by incorporate phishing material in training materials. Companies also should use phishing simulation and training exercises to give employees practical opportunities at improving their ability to detect attacks.
For companies with a BYOD policy, update the policy to include specific tips and guidance for employees to ensure they don’t fall victim to text-based scams.
Phishing is a time-intensive and costly problem for organizations, and there is no sign of slowing down over the next 12 months as bad actors utilize more tools beyond email. Organizations that want to free up cybersecurity staff time for more strategic initiatives and reduce their expenditure on addressing phishing attacks need more capable solutions that detect and stop more phishing attacks.
Edited by
Erik Linask
