By The PhishLabs Team | November 15, 2016
Everybody knows phishing is costly to their organization.
But how costly? Few organizations know for sure.
Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident? Or $3.7 million per year?
Perhaps… but probably not.
The issue with these figures is that they’re averages, heavily skewed by data from huge organizations. The results may be interesting, but they’re of little use to most organizations.
The Dangers of Not Knowing
Unfortunately, most organizations have no idea how much phishing is costing them. They simply go about their business, do what they can with their security budget, and hope for the best.
But there’s a huge issue with this approach.
Phishing may not cost you $3.7 million per year, but we can almost guarantee it does cost more than you think.
With simple security measures, and a little investment, you can slash your annual cost of phishing. The trouble is, if you don’t know how much phishing is costing you right now, it’s hard to make a case for investment.
And if you don’t have financial clarity in this area, how are your security budgets set? Have you simply guessed how much incident response costs? Or based this year’s budget on what happened last year?
And we get it. Calculating the cost of phishing is hard. The research doesn’t seem to help, and getting your head around the variables is far from easy. But sadly, if you can’t quantify your organization’s cost of phishing, you’re unlikely to get the investment you need.
Need assistance with planning an effective security awareness training program in 2017? Attend this webinar to understand the pros and cons of different approaches to SAT, the key areas every SAT program should address, what to look for in an SAT program, and how to measure success.
Getting it Done
Let’s get one thing straight. Nobody can can calculate exactly how much phishing is going to cost in advance. In fact, it’s hard enough to identify exact costings even after the event.
It is possible to produce a data-driven figure that you can use to plan your security budgets and evidence the need for investment. To do that, we’ll first need to return to the research.
How Many Phishing Emails are Coming In?
This might seem a basic question, but it’s difficult to answer precisely. Interested in checking through every email your organization receives by hand? We’re guessing not.
Instead, we’ll need to rely on global statistics.
According to the Radicati Email Statistics Report, the average business account receives 55 spam emails per day. On average, then, an organization with 5,000 employees receives 275,000 spam emails each day.
Let’s charitably assume a spam filter is able to block 99% of those. Our 5,000-strong organization still has 2,750 spam emails reaching users’ inboxes every day.
Of course, not all those are phishing emails. According to Kaspersky, around 1.5% of spam emails can be classified as phishing. For an organization with 5,000 employees, then, we can expect users to be faced with approximately 41 phishing emails per day.
Care and Feeding of Phishing Emails
Of course, right now we’re not concerned with how many phishing emails come in. We care about what happens to them. This is where your phishing susceptibility rate comes in.
If your users lack security awareness they might have a susceptibility rate of 30%. That means they fall for almost one in three phishing emails. But they’re security savvy, they might have a susceptibility rate of just 5%. In that case, they fall for only one in twenty phishing emails.
In practice, there’s a huge difference between these rates. For our 5,000 employee organization, it’s the difference between 12.4 phishing exposures per day, and just 2.1.
To put that another way, annually it’s the difference between 4,517 exposures and 753. But, again, not every exposure leads to a breach. But in our experience, at least 10% lead to the successful compromise of a user or their machine.
To continue with our example, that’s 452 annual security incidents at 30% susceptibility, and 75 at 5%.
Clearly, reducing phishing susceptibility has a dramatic effect on organizational security. But let’s take a look at the financial implications.
It Costs HOW Much?
We already know that for most organizations, phishing doesn’t cost $3.7 million per year. But nonetheless, you might be surprised at just how expensive it can be for SMEs.
Let’s assume that between mitigation, forensics, and recovery, each security incident takes 5 hours to investigate. Let’s also assume it costs around $100 per hour to conduct these operations.
These are low-ball figures, but they’ll do for now. For our example organization, at 30% susceptibility this means an annual cost of $225,844 just for incident response. At 5% susceptibility, it’s $37,641.
Now let’s consider the cost of breaches. According to the Verizon 2016 Data Breach Investigations Report, around 2.2% of incidents in mid-sized organizations result in breaches.
At 30% susceptibility we’re looking at 9.9 breaches per year due to phishing. At 5%, it’s just 1.7.
According to the Ponemon Institute, the average breach cost per employee is $3.5 for an organization of this size. For our fictitious organization, that means an annual cost of $173,900 at 30% susceptibility, or $28,983 at 5%.
When we combine incident response and data breach recovery costs, the differences are stark. If employees at our 5,000-strong company fall for three out of every ten phishing emails, the annual cost is $399,743. If they fall for just one in twenty phishing emails, that figure falls to $66,624.
By taking security awareness seriously, the 5,000-strong company can save $333,120 every year.
Cut Out the Calculations
We know what you’re thinking. A lot of calculations and research went into producing the figures above. But if you’re interested in calculating your organization’s cost of phishing, you don’t need to worry about all that. Instead, we’ve put together a tool that does it for you.
Using our Cost of Phishing Susceptibility model, you’ll instantly see how much phishing is costing your organization. Not only that, you can immediately quantify the financial benefits of investment in awareness.
Using organization size, susceptibility rate, and 19 other factors, the model produces a credible, data-driven result.
An ongoing commitment to phishing awareness can save huge amounts in the long run. So if you need to justify an investment plan, or convince your board to take phishing seriously, download the tool free today.