fishing reel

Phishing attacks cost companies $3.77 million per year

Phishing attacks are costly according to a recent study from the Ponemon Institute. It’s obviously costly when an employee falls for the phishing scam and compromises his or her endpoint or possibly the network as a whole. It is also costly, however–at least in terms of lost productivity–to avoid the phishing attacks as well.

I wrote this blog post about the financial impact of phishing attacks on businesses.

Organizations spend a significant amount of money on security tools. All of the firewalls and antimalware solutions in the world, though, offer little protection against a phishing attack that tricks an authorized user into downloading malicious software or compromising credentials. Phishing attacks are becoming more effective and more costly as time goes on.

The Ponemon Institute recently published a report titled Cost of Phishing and the Value of Employee Training that illustrates the concerning trends behind phishing. Ponemon researchers surveyed 377 IT and IT security professionals from organizations throughout the United States to learn more about the financial consequences of phishing scams and the financial impact phishing has on employee productivity. Nearly 40 percent of survey respondents represent companies of 1,000 or more employees.

The report analyzes a few different elements—both direct and indirect—of a phishing attack. Ponemon weighed the cost to contain malware, the cost of malware that is not contained, lost productivity, the cost to contain credential compromises, and the cost of credential compromises that are not contained. The Ponemon report derives, “Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in our sample totals $3.77 million.”

$3.77 million? Does your organization have $3.77 million of the annual budget allocated to defending against phishing attacks or a spare $3.77 million lying around with nothing better to do?

The most expensive part of the cost of a phishing attack is the lost employee productivity, which includes the time it takes to view and reject phishing emails as well as time involved remediating a successful phishing attack. According to Ponemon lost productivity makes up 48 percent of the total.

Read the full post on the RSA Conference blog: How Much Will That Phishing Trip Cost You?

5 thoughts on “Phishing attacks cost companies $3.77 million per year”

  1. I’d bet the cost is a lot more when you add in reputation, loss of productivity from the time spend undoing all the problems. This is a good argument for solid security plans and practices as well as working with a strong vendor that has a lot of ties within the security arena.


    Karen Bannan, commenting on behalf of IDG and Dell.

Comments are closed.

Scroll to Top