Skip to content ↓ | Skip to navigation ↓

The average organization could potentially spend up to $3.7 million per year responding to phishing attacks, says a new report issued by the Ponemon Institute.

The study, which surveyed nearly 400 IT professionals at companies with employees ranging from less than 100 to more than 75,000, found that the majority of phishing costs (48 percent) are due to loss of employee productivity.

According to Ponemon’s cost analysis, the annual cost to contain malware based on the hours spent to resolve the incident – including planning, capturing intelligence, evaluating intelligence, investigating, cleaning, fixing and documenting – amounts to an average of $1.8 million.

In addition, the study found that employees waste an average of 4.16 annually due to phishing scams.

Furthermore, 27 percent of phishing costs are associated with credential compromises not contained, which could cost an average-sized company more than $1 million.


Screen Shot 2015-08-26 at 11.00.48 AM
Source: The Cost of Phishing & Value of Employee Training, Ponemon Institute

“This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption,” said Joe Ferrara, President and CEO of survey sponsor Wombat Security Technologies.

Companies who adopted effective training programs saw an average improvement of 64 percent in their phishing email click rate, according to Ponemon’s proof-of-concept studies.

“In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks,” said Larry Ponemon, chairman and founder of Ponemon Insitute.

“As the threat landscape continues to intensify and phishing tactics become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack,” added Ponemon.