IRONSCALES, the leader in AI-powered email security and the fastest growing email security company in the world, today announced the results of a new study conducted by Osterman Research to quantify the direct costs borne by organizations in mitigating phishing threats, and to explore expectations about how phishing will change over the next 12 months. The report includes survey responses from more than 250 IT and security practitioners.
Table of Contents
Subscribe to Our Newsletter
Stay up to date with our latest resources and articles.
2022 October 1
The Business Cost of Phishing report reveals organizations with 25 IT and security professionals are spending more than $1 million per year to handle phishing
“This new report quantifies this impact in terms of the time and energy required to defend against the never-ending and ever-evolving onslaught of these attacks. It also reveals where practitioners feel these attacks will spread next.
The Business Cost of Phishing shows that IT and security teams spend one-third of their time handling phishing threats every week. Seventy percent of organizations spend 16-60 minutes dealing with a single phishing email message. On average, dealing with the threat of a single phishing email takes 27.5 minutes at a cost of $31.32 per phishing message. Most respondents expect the impact of phishing to get worse over the coming 12 months, with 67% expecting the time spent on phishing per week for IT and security teams to stay the same or increase.
“Organizations of all sizes and across all geographies continue to struggle with the impact of phishing attacks,” said Ian Thomas, vice president of Product Marketing at IRONSCALES. “This new report quantifies this impact in terms of the time and energy required to defend against the never-ending and ever-evolving onslaught of these attacks. It also reveals where practitioners feel these attacks will spread next.”
Key Findings
Phishing represents a significant threat to organizations. One-third of organizations indicate phishing is a “threat” or “extreme threat” due to the consequences such as loss of account credentials, business email compromise and data theft.
The dynamics of phishing attacks are changing. Eighty percent of organizations state that various dynamics of phishing have worsened or remained the same over the past 12 months. These dynamics were the number of phishing attacks (82 percent increased or stayed the same), the sophistication of phishing attacks (80 percent) and the ability of phishing attacks to bypass current detection mechanisms (79 percent).
Concerns with characteristics of phishing threats. A diverse set of increasingly sophisticated phishing threats are causing “concern” or “extreme concern” for organizations including use of adaptive techniques to create unique attributes for each phishing message (51 percent), use of compromised account credentials to hijack current email threads to send phishing threats (48 percent) and use of advanced obfuscation techniques to hide phishing threats (48 percent).
Phishing is spreading to other tools. Almost half of the respondents state that phishing is spreading to tools beyond email, including messaging apps (57 percent), cloud-based file sharing platforms (50 percent) and text messaging services (49 percent).
Recommendations
- Gauge phishing awareness among employees using surveys and incorporate phishing material in future training materials to compensate for any knowledge gaps and reduce the susceptibility to these fraudulent emails.
- Use the principle of least privilege access to ensure that even if an employee’s account gets compromised, your attack surface is minimized by restricting access levels to only what’s necessary for job functions and duties.
- Use phishing simulation and training exercises to give employees practical opportunities at improving their ability to detect social engineering techniques common across various types of attacks.
- If you have a BYOD policy that allows employees to connect their smartphones to your corporate network and apps, update the policy to include specific tips and guidance for employees in ensuring they don’t fall victim to text-based scams.
About IRONSCALES
IRONSCALES is the leader in AI-powered email security protecting over 13,000 global organizations from advanced phishing threats. As the pioneer of adaptive AI, we detect and remediate attacks like business email compromise (BEC), account takeovers (ATO), and zero-days that other solutions miss. By combining the power of AI and continuous human insights, we safeguard inboxes, unburden IT teams, and turn employees into a vital part of cyber defense across enterprises and managed service providers. IRONSCALES is headquartered in Atlanta, Georgia. To learn more, visit www.ironscales.com or follow us on X @IRONSCALES.
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.