Phishing continues to represent not just a mainstay threat but also a significant cost to enterprises, with some large organizations with a robust IT and security staff spending $1.1 million per year to mitigate phishing attacks, new data shows.
Phishing-related security activities currently consume, on average, about one-third of the total time available to organizations' IT and security teams, according to a newly published report. A single malicious message costs organization an average of about 27 minutes and $31 in labor to mitigate, but can cost up to $85.33 if a company takes 60 minutes to eliminate the threat, researchers found.
This cost, combined with the consequences of successful phishing incidents — which include loss of account credentials, business email compromise, and data theft — means that about a third of organizations consider phishing to be either a "threat" or "extreme threat" to their businesses, researchers wrote in the report, which was commissioned by email security firm Ironscales and conducted and written by Osterman Research.
This situation is unlikely to improve anytime soon, as threat actors become even more sophisticated in how they craft phishing campaigns not only to hook enterprise workers, but also to make phishing emails harder to detect, the researchers found.
And while the shift to remote working that occurred during the pandemic lifted the burden of phishing slightly and led to a decline in this type of cybercrime activity over the 12 months previous to June 2022, the threat from phishing will soon be on the uptick again, the researchers found.
Enterprises should be on the alert and start preparing now to deal with imminent and "more sophisticated and pernicious" attacks — or expect to spend even more to handle phishing in the future, they said. "The time and cost currently expended on mitigating phishing will increase unless organizations start relying on better phishing protections," the researchers wrote.