Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

How Much Does It Cost to Protect Your Organization Against Phishing?

October 26, 2022

CSO reported on October 20 that phishing-related activities are consuming a third of the total time available to IT and security teams and costing organizations anywhere between $2.84 and $85.33 per phishing email, according to a new report by Osterman Research.

The report does not calculate the cost of damage caused by phishing. Instead, it focuses on the productivity loss of IT and security teams.

On average, organizations spend 16-30 minutes dealing with each phishing email identified in their email infrastructure, said the report, commissioned by email security firm Ironscales.

Osterman based its calculations on a poll of 252 IT and security professionals in the US in June 2022.

“The number of phishing emails that hit a specific organization each day is dependent on a myriad of factors, including the industry and geography the company is in,” said Ian Thomas, VP of product marketing at Ironscales.

In calculating the cost of dealing with phishing in IT and security teams, Osterman Research determined the average salary and benefits offered to an IT and security professional.  To do so, it created a composite based on the roles reflected in the survey who spend time each week dealing with phishing at their organization.

These roles include IT security manager, IT manager, email security manager, security manager, email security administrator, SOC manager, and SOC analyst. The report calculated that a composite IT and security professional costs $136,528 per year in salary and benefits, or $68.26 per hour.

“The average cost per phishing email is calculated by taking the midpoint between the range of the number of minutes, multiplied by the average hourly rate. For example, the midpoint for the ‘5-15 minutes’ range is 10 minutes, so 10 minutes of $68.26 = $11.38. The midpoint for the 46-60 minutes range is 52.5 minutes. For the ‘More than 60 minutes’ option, I selected 75 minutes as the calculation point,” Thomas said.

Based on this calculation, the report concluded that organizations spend anywhere between $2.84 per phishing email to $85.33 per phishing email, depending on the amount of time they spent on handling such mails.

As the number of IT and security professionals in an organization grows, the cost of phishing-related activity also increases. An organization with five IT and security professionals is currently paying $228,630 of annual salary and benefits to handle phishing, the report said, while an organization with 10 IT and security professionals is paying $457,260 per year to handle phishing. This could go up to $1.14 million a year for an organization with 25 IT and security professionals.

The report specified that that 70% of organizations spend 16-60 minutes on each phishing email. This covers the phishing lifecycle from the initial discovery of a potential phishing email to its complete removal from the environment.

On average, phishing-related activities consume one-third of the working hours available each week for the IT and security teams at their organization. This equates to $45,726 in salary and benefits paid per IT and security professional to handle phishing, the report noted.

One-third of survey respondents said they believe the current and expected levels of phishing represent a “threat” or “extreme threat” to them. While the current level of threat has declined over the past 12 months, the report said this could be reflective of the shift at many organizations towards office-based work again, where phishing risks are lower than for remote workers.

Nevertheless, over the next 12 months, 67% of organizations polled by Osterman said they expect the time spent on phishing emails per week for IT and security teams to stay the same or increase.

“Because phishing attacks will almost certainly become more numerous, more sophisticated, and better able to bypass traditional email security detection, a better interpretation of the data presented is that it indicates the desire of how respondents’ organizations want to respond to the phishing threat and not the nature of phishing attacks themselves.”

Extraordinary costs, yes? Without doubt, the percentage of phishing emails that contain less misspellings, grammatical errors and other giveaways is declining as cybercriminals become more sophisticated.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology