With increased internet usage during the new normal of remote working, phishing attacks continue to challenge business security defenses. Cyberthugs often distribute malicious codes via various kinds of phishing baits, causing severe consequences to organizations’ critical digital infrastructure. A joint study from Proofpoint and Ponemon Institute revealed that the financial damages from phishing attacks have skyrocketed amid distributed work environments. The 2021 Cost of Phishing Study found that phishing attacks cost organizations nearly $14.8 million (over $1,500 per employee) annually, up from $3.8 million in 2015.
Cost of Phishing is more than Ransom
In addition to financial damages, phishing attacks cause multiple harms to organizations. Fixing compromised systems and performing forensic investigations consume a lot of time and planning. Loss of productivity is one of the expensive consequences. The study revealed that an average-sized U.S. organization wasted around 63,343 hours every year due to phishing attacks.
“When people learn that an organization paid millions to resolve a ransomware issue, they assume that fixing it cost the company just the ransom. We found that ransoms alone account for less than 20% of the cost of a ransomware attack. Because phishing attacks increase the likelihood of a data breach and business disruption, most of the costs incurred by companies come from lost productivity and remediation of the issue rather than the actual ransom paid to the attackers,” said Larry Ponemon, Chairman and Founder of Ponemon Institute.
Other Key Findings
- On average, security awareness training reduces phishing expenses by more than 50%.
- Costs for resolving malware infections have more than doubled since 2015. The average price of fixing malware attacks is $807,506 in 2021, increasing to $338,098 in 2015.
- The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021.
- Business Email Compromise (BEC) attacks cost nearly $6 million annually for a large organization.
- Ransomware annually costs large organizations $5.66 million. Of that, $790,000 accounts for the paid ransoms themselves.
“Until organizations deploy a people-centric approach to cybersecurity that includes security awareness training and integrated threat protection to stop and remediate threats, phishing attacks will continue. Because threat actors now target employees instead of networks, credential compromise has exploded in recent years, leaving the door wide-open for much more devastating attacks like BEC and ransomware,” said Ryan Kalember, executive vice president of cybersecurity strategy Proofpoint.