Phishing–the fraudulent emails and other communications that entice users to click on malware-ridden links or attachments, pay fake invoices, or update customer accounts with fake information—has been around for decades, plaguing organizations even as they invest funds year after year on educating their users how to thwart it. No matter how much is invested, there are always users who fall victim, often enabling the first step in a ransomware attack or advanced persistent threat leading to data theft or company payments to fake customer accounts.
Case in point: It is highly likely that the widely publicized Colonial Pipeline ransomware attack began with phishing. The infamous attack infected several of the company’s systems and shut down the critically essential pipeline for several days.
Colonial Pipeline is just one extreme example of attacks that cost organizations millions in remediation costs and lost customers and reputation every year, or, in the case of Colonial Pipeline, even create a national security threat.
However, as a recent Osterman Research Report, The Business Cost of Phishing, points out, there is another cost that is not often mentioned when it comes to phishing—the cost of IT manpower and resources dedicated to coping with individual phishing attempts, even if they fail. This cost figure adds up to considerable resources stolen from IT departments that could be much better spent on digital transformation or other ways to harness IT to better the business.
Phishing is Costly for IT
It turns out that organizations spend a lot of IT time and resources dealing with phishing attempts, according to the report. Seventy percent of organizations report spending a surprising 16 minutes to a full hour – or 27.5 minutes on average–on just a single phishing email, from initial discovery to complete removal.
The report outlines seven IT roles that IT respondents indicate are involved in dealing with that single message and calculates the contribution of each to a composite annual salary and benefits adding up to $68.26 per hour or $136,528 annually. With an average of 27.5 minutes spent the average salary cost amounts to $31.32 per phishing message.
When you consider that organizations often receive hundreds or thousands of these emails per year, the total cost is considerable. In fact, according to the report, handling phishing-related activities costs IT and security teams an average of one-third of their working hours total each week, or $45,726 in salary and benefits per IT person. An organization with 10 IT and security professionals would pay approximately $457,260 per year in salary and benefits, just to handle phishing. Twenty-five IT and security professionals would add up to $1,243,150 per year.
Phishing is On the Rise
Phishing may very well get even more expensive. According to the report, four out of five respondents said that the dynamics and sophistication of phishing attacks had stayed the same or gotten worse in the past year. Sixty-seven percent of respondents expect the time spent on phishing per week to stay the same or increase.
One of the new dynamics concerning IT is the increasing use of polymorphic attacks, which attempt to bypass traditional signature-based endpoint security tools by varying each phishing email just a little bit. This means that IT staff and tools must evaluate each email individually, a burden that is likely to take up more time than a typical mainstream phishing email.
The increasing use of phishing emails that have compromised internal account credentials is another concern, as internal emails that appear to be from trusted parties are more likely to be successful getting users to click on links or fulfill their requests than external emails and may get past the more common externally focused detection tools.
Hackers are also increasingly using obfuscation techniques that nest links and payloads, requiring today’s tools to evaluate each message at several lifecycle stages.
The report points out that phishing is moving to other communications tools besides email, including messaging applications, cloud-based file sharing platforms, and text messaging services. As the graph below shows, almost half of the respondents said they’re already seeing phishing attacks in these three tools.
If organizations want to avoid spending even more of their precious IT resources on preventing phishing and the sophisticated attacks they spawn, they’ll need to find ways to beef up their phishing prevention tools and strategies. They’ll have to start focusing on tools that can tackle the new communications channels phishing is taking advantage of and alter their user education to help users recognize emerging strategies used by hackers that can be very subtle and dangerous. The key is to get all their resources and users involved in preventing successful phishing attacks, not just the IT department.