Successful phishing attacks are all over the news and a top concern for IT managers, but how do you make the business case for adding more advanced email and web security? In a new report, security industry analyst Derek Brink of the Aberdeen Group has crunched the numbers and put $$$ on the real risks and cost impact to businesses of phishing attacks, giving calculations for companies of different sizes and in different industry sectors. A complimentary copy of the report is available for free download.
The paper explains very succinctly why phishing attacks are bypassing security and reaching users so often today, and lays out the new type of security required to better defend against them. Brink then quantifies the financial risks posed by phishing, and how to think about — and justify — IT security investments at your company from a business perspective.
The Long Tail of Risk
Using a sophisticated model, Brink calculates the median annual business impact of a successful phishing attack at $260,000 for a business with 1,000 users. He also calculates the probabilities of a range of losses, from low to high, including the likelihood of a catastrophic loss (defined as over $10 million) in a section where he explains the “long tail of risk.” Brink argues the small but real risk of large losses in this “long tail” must be taken into account when defining what kind of security protection a business wants to have in place, instead of just focusing on average risk.
Brink then turns to the question of what is the return on any investment an IT manager might make in reducing phishing risk through better security, giving specific ROI multiples while comparing the likelihood of a positive return on additional security investments to the “maintain status quo” option.
Phishing Attacks Are Fast, Protection Must Be Faster
In the report, Brink also frames the problem with today’s defenses by focusing on the timeline of phishing attacks, concluding that effective defense is really about speed. Among other findings, he observes that the median elapsed time to the first open of a phishing email by a user is 1m40s after it is sent, and that 80% of phishing victims are hooked within the first 60 minutes of the launch of a new phishing campaign. In a game that is played at a scale of seconds and minutes (and not hours and days), any protection needs to move faster than both attackers and users. Brink concludes his analysis by underlining the need for high-speed security solutions predicated on automated analysis and the correlation of massive amounts of data.
For a quick but thorough backgrounder on phishing, visit Cyren’s special resource page on phishing.