As phishing attacks increase, preventing them from doing damage is proving costly for organizations. Phishing-related activities are consuming a third of the total time available to IT and security teams and costing organizations anywhere between $2.84 and $85.33 per phishing email, according to a new report by Osterman Research.
The report does not calculate the cost of damage caused by phishing, rather the productivity loss of IT and security teams.
On average, organizations spend 16-30 minutes dealing with each phishing email identified in their email infrastructure, said the report, commissioned by email security firm Ironscales.
Osterman based its calculations on a poll of 252 IT and security professionals in the US in June 2022.
“The number of phishing emails that hit a specific organization each day is dependent on a myriad of factors, including the industry and geography the company is in,” said Ian Thomas, VP of product marketing at Ironscales.
How to calculate the cost of a phishing email
While calculating the cost of dealing with phishing in IT and security teams, Osterman Research determined the average salary and benefits offered to an IT and security professional. To do so, it created a composite based on the roles reflected in the survey who spend time each week dealing with phishing at their organization.
These roles include IT security manager, IT manager, email security manager, security manager, email security administrator, SOC manager, and SOC analyst. The report calculated that a composite IT and security professional costs $136,528 per year in salary and benefits, or $68.26 per hour.
“The average cost per phishing email is calculated by taking the midpoint between the range of the number of minutes, multiplied by the average hourly rate. For example, the midpoint for the ‘5-15 minutes’ range is 10 minutes, so 10 minutes of $68.26 = $11.38. The midpoint for the 46-60 minutes range is 52.5 minutes. For the ‘More than 60 minutes’ option, I selected 75 minutes as the calculation point,” Thomas said.
Based on this calculation, the report concluded that organizations spend anywhere between $2.84 per phishing email to $85.33 per phishing email, depending on the amount of time they spent on handling such mails.
As the number of IT and security professionals in an organization increases, the cost of phishing-related activity also increases. An organization with five IT and security professionals is currently paying $228,630 of annual salary and benefits to handle phishing, the report said, while an organization with 10 IT and security professionals is paying $457,260 per year to handle phishing. This could go up to $1.14 million a year for an organization with 25 IT and security professionals.
Most organizations spend up to 60 minutes per phishing email
The report specified that that 70% of organizations spend 16-60 minutes on each phishing email. This covers the phishing lifecycle from the initial discovery of a potential phishing email to its complete removal from the environment.
On average, phishing-related activities consume one-third of the working hours available each week for the IT and security teams at their organization. This equates to $45,726 in salary and benefits paid per IT and security professional to handle phishing, the report noted.
One-third of survey respondents said they believe the current and expected levels of phishing represent a “threat” or “extreme threat” to them. While the current level of threat has declined over the past 12 months, the report said this could be reflective of the shift at many organizations towards office-based work again, where phishing risks are lower than for remote workers.
Nevertheless, over the next 12 months, 67% of organizations polled by Osterman said they expect the time spent on phishing emails per week for IT and security teams to stay the same or increase.
“Because phishing attacks will almost certainly become more numerous, more sophisticated, and better able to bypass traditional email security detection, a better interpretation of the data presented is that it indicates the desire of how respondents’ organizations want to respond to the phishing threat and not the nature of phishing attacks themselves.”