Phishing attacks and the costs they inflict on the victim organisations have increased significantly according to the 2021 Cost of Phishing Study.
The latest study sponsored by Proofpoint and presented by Ponemon Institute looks at the threats and costs created by business email compromise, identity credentialing and ransomware in the workplace.
The study revealed that with the difficulty that many organisations have in securing a growing remote workforce due to COVID-19, the number of phishing attacks that are successful is expected to increase.
The study team surveyed 591 IT and IT security practitioners in organisations in the US. Around 44% of the respondents were from organisations with 1,000 or more employees who have access to corporate email systems.
The findings of the study reveal that phishing attacks are having a significant impact on organisations not only because of the financial consequences but also because these attacks increase the likelihood of a data breach, decrease employee productivity and increase the likelihood of a business disruption.
The cost of phishing has more than tripled since 2015 when the first edition of this study was brought out. The average annual cost of phishing has increased from $3.8m in 2015 to $14.8m in 2021.
The most time-consuming tasks to resolve attacks are the cleaning and fixing of infected systems and conducting forensic investigations.
Documentation and planning represent the least time-consuming tasks.
Loss of employee productivity represents a significant component of the cost of phishing. Employee productivity losses are among the costliest to organisations and have increased significantly from an average of $1.8m in 2015 to $3.2m in 2021. Employees now have to spend more time dealing with the consequences of phishing scams.
The study estimated that the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails averages seven hours annually, an increase from four hours in 2015.
Until organisations deploy a people-centric approach to cyber security that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue. M