Proofpoint & Ponemon Institute release findings of Cost of Phishing report

Proofpoint and Ponemon Institute have released the findings of their Cost of Phishing report. The cost of phishing assaults has nearly tripled in the last six years, according to the research, with major U.S. firms losing an average of $14.8 million per year (or $1,500 per employee), up significantly from $3.8 million in 2015.

According to the report, BEC and ransomware attacks are the most expensive dangers to enterprises, which questioned almost 600 IT and IT, security practitioners. However, the losses to businesses go far beyond the money provided to the attackers.  

“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. What we found is that ransoms alone account for less than 20 percent of the cost of a ransomware attack,” said Larry Ponemon, Chairman and Founder of Ponemon Institute.  

Further said, “Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers.”  

According to the Anti-Phishing Working Group (APWG), phishing is a crime employing both social engineering and technical subterfuge to steal personal identity data and financial account credentials. Credential compromise (credential theft) generally precedes attacks like BEC and ransomware, usually in the form of an employee being “phished” into giving up their login credentials. The growth of phishing is not gradual – it’s growing exponentially, with the APWG estimating that phishing attacks doubled in 2020 alone.

Other key findings from the 2021 Cost of Phishing report include:

• One of the most expensive consequences of phishing is a loss of productivity. This equates to 63,343 wasted hours per year in a typical US firm of 9,567 employees. Phishing attacks cost each employee an average of seven hours per year, up from four hours in 2015.
• A significant organization’s annual cost of Business Email Compromise is approximately $6 million. Illicit payments to BEC attackers total $1.17 million per year.
• Ransomware costs large businesses $5.66 million per year. The paid ransoms account for $790,000 of that total.

• On average, Security Awareness Training cuts phishing costs by more than half.

• Since 2015, the cost of resolving malware infestations has more than doubled. In 2021, the average overall cost of fixing malware attacks will be $807,506, up from $338,098 in 2015.

• Since 2015, the cost of credential compromise has skyrocketed. As a result, businesses are paying more money to respond to these threats. The average cost of containing phishing-based credential compromises has grown from $381,920 in 2015 to $692,531 in 2021. Over the course of a year, organizations encountered an average of 5.3 compromises.

• Business leaders should consider the most likely worst-case scenarios. BEC assaults, for example, may cost businesses up to $157 million in business disruptions if they aren’t prepared. Data exfiltration caused by malware could cost firms up to $137 million.

Emile Abou Saleh, Regional Director, Middle East, and Africa for Proofpoint, added: “In the Middle East, our recent research revealed that CISOs in the UAE and KSA feel at risk of suffering material cyberattacks in the next 12 months, with phishing being a concern for nearly one-third of CISOs. It is therefore crucial for organizations in the Middle East to build a culture of cybersecurity among their employees by putting in place cybersecurity awareness training to understand how security policies affect their day-to-day work.”

“Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, executive vice president of cybersecurity strategy, Proofpoint.

Also added, “Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue.”