Comprehensive security training programs with a continuous training methodology can significantly reduce the financial consequences of phishing in the workplace, according to a research report published Wednesday.
Security research firm Ponemon Institute recently surveyed 377 IT security practitioners in the U.S. — 39 percent of them from organizations with 1,000 or more employees who have access to corporate email systems — for the Cost of Phishing and Value of Employee Training report, sponsored by Wombat Security Technologies.
"In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks," Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement today. "This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing attacks become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack."
Phishing costs businesses big-time
Ponemon performed a cost analysis of the potential cost to organizations when employees are victimized by phishing scams, extrapolating that the total annual cost of phishing for the average-sized organization in its sample (headcount of 9,552 individuals with user access to corporate email systems) came to $3.77 million. The analysis included costs to contain malware, the cost of malware not contained, loss of productivity from phishing, the cost to contain credential compromises and the cost of credential compromises not contained.
In Ponemon's cost analysis, the majority of costs are caused by loss of employee productivity, with 48 percent of total organizational costs (more than $1.8 million for average-sized organizations in the sample) pertaining to employee/user productivity losses caused by successful phishing during the work day. The cost of credential compromises not contained accounted for 27 percent of costs (more than $1 million for average-sized organizations in the sample).
Ponemon found that employees waste an average of 4.16 hours annually due to phishing scams. For an average-sized organization (9,552 individuals with user access to corporate email systems), that comes to 39,736 hours wasted due to phishing. Assuming an average labor rate of $45.8 for non-IT employees that comes to a productivity loss of $1,819,923 a year.
Training does matter
But employee security training can substantially affect that number. Ponemon obtained six proof of concept studies for six large companies that used Wombat's training on phishing, including mock attacks and follow-up with in-depth training. The actual improvements experienced by the companies ranged from 26 percent to 99 percent, with an average of 64 percent improvement.
Sign up for CIO Asia eNewsletters.