Over the past few years, seems like we’ve seen a major data security breach in the headlines every few weeks. And every time it happens, I hear folks ask what they can do to help protect their company from such cyberattacks. Well there are a number of things that can and should be done to protect today’s enterprises, but one thing in particular may have the best ROI out there: training employees to recognize and avoid phishing attacks.
Phishing, for the uninitiated, is an “e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients…messages appear to come from well known and trustworthy Web sites [such as] PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.” (Source: TechTarget). During just the second quarter of 2015, the anti-phishing system of Kaspersky Labs was triggered more than 30 million times, “and that was only counting those triggered by computers running that company’s security products.” (Source: Forbes, “Top 10 New Phishing Scams: How You And Your Company Can Thwart Them,” October 7, 2015 by Lisa Brownlee). To make matters worse, over time phishing attacks have gotten more sophisticated and authentic-looking, so much so that nearly a quarter (23 percent) of recipients of phishing emails open them. More than 1 in 10 folks (11 percent) open the mails and click on the malicious attachments. (Source: Verizon Data Breach Investigations Report 2015).
A recent report from the Ponemon Institute further reveals the dangers and costs of phishing to enterprise. According to the report:
- the average, annual cost to contain a malicious software infection from phishing is $1.9 million (Source: The Security Ledger, “The Cost of Phishing? More than you think!,” Aug. 26, 2015)
- the average cost to businesses to recover from a successful phishing attack is $300,000 (Source: Id.)
- the costs of phishing attacks (including containing the malware, remediating uncontained malware, productivity losses, containing credential compromises and remediating uncontained credential compromises) adds up to $3.77 million per year for the average organization (Source: TechTarget, “Report: phishing training could cut damage costs by $1.8M,” Aug. 27, 2015)
- the most costly part of a phishing attack is loss of productivity at 48% of the total cost (Source: Id.); and,
- the average productivity loss due to phishing is 4.16 hours per employee, per year (thats more than 400 hours of work – or 10 weeks – lost per year for an organization with just 100 employees). (Source: Id.)
The good news, according to Ponemon, is there is something companies can do to protect against phishing and minimize the risks associated with such attacks. “Ponemon studied six companies, which had implemented phishing training programs for employees, and found that the long-term average net improvement per organization was 47.75%. Assuming this average improvement, organizations could save up to $1.8 million on phishing costs, the report concludes.” (Source: TechTarget, Report: phishing training could cut damage costs by $1.8M, Aug. 27, 2015).
Companies and their IT departments often focus on technology solutions including firewalls, anti-spyware and anti-virus software when it comes to defending against cyberattacks, including phishing. Those solutions are important, but when designing and implementing a comprehensive company infosec defense program, don’t forget your employees and the good they can do. Leaders who train them well, and give them the knowledge and tools they need to resist these phishing attacks will reap the rewards and better resist those attacks even as they persist and grow in numbers and sophistication.