Costs incurred by organizations as a result of successful phishing attacks are mostly related to employee productivity loss and uncontained credential compromises, which together cost an average sized company $3.77 million per year.

That's one of the key findings of a new report, “The Cost of Phishing and Value of Employee Training,” published by the Pittsburgh-based Wombat Security Technologies and Traverse City, Mich.-based Ponemon Institute.

In the report, Ponemon Institute also found that phishing email click rates went down by an average of 64% after employees completed Wombat's security training program. This demonstrates that following a security training program, employees are more likely to recognize phishing in their workplaces and will behave differently, Ponemon said.

As a result of effective training, Ponemon estimated organizations will see a cost savings of $1.8 million or $188.4 per employee or user. If a company paid Wombat's standard fee of $3.69 per user for up to 10,000 users, it would see a very substantial net benefit of $184.7 per user.

Other key findings of the report include the following:

  • The average total cost for an average company to contain malware is $1.9 million per year.
  • Uncontained malware costs for an average sized company are as high as $105.9 million annually.
  • The cost of business disruption due to phishing is $66.9 million per year.
  • Employees waste an average of 4.16 hours annually due to phishing scams.
  • The average annual cost to contain a credential compromise that originated from a successful phishing attack is $381,920. Uncontained credential compromises could cost a company as much as $105.9 million per year.

“In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks,” Dr. Larry Ponemon, chairman and founder for the Ponemon Institute, said. “This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing tactics become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack.”

Joe Ferrara, president/CEO of Wombat Security Technologies, said, “This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption. This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).