Phishing attacks are taking up close to five hours of employees’ time a year and costing $3.7 million to large organizations, according to recent research. That’s despite the fact that proper education and training could save those businesses almost half that amount.

A recent report from the Ponemon Institute showed that the true cost of phishing attacks was nearly split between actual financial damages and the productivity hit organizations take in responding to data breaches. It also found that, even with automated training programs costing less than $5 per staff member, organizations could see a return on investment of 20 or even 50 times that amount.

One of the authors of the report told CSO Online that setting up a mock phishing attack may be one of the best ways to determine how susceptible employees are to social engineering tricks from cybercriminals. Overall, the amount of time such training takes will have an impact on the cost savings, but the average improvement in click-through rates on bogus emails and the like are probably well worth the effort.

Some of the numbers in the Ponemon report should be enough to get almost any CISO more focused on training initiatives. Infosecurity Magazine highlighted the fact that uncontained malware — which is largely distributed via phishing attacks that try to get access to employee credentials — can cost nearly $106 million per year for a company of average size.

A good example of how this works happened just a few weeks ago. According to PC Gamer, Epic Games began warning consumers that cybercriminals were sending out email messages with phony links that asked recipients to click suspicious links and offer up information. This took place not long after the studio’s online forums had been hacked, showing that cybercriminals are not content to limit their tactics to merely one vector, particularly if their initial efforts are successful.

While organizations may sometimes feel like they’re on their own, law enforcement agencies do manage to nab some of the worst offenders. UPI reported that police recently arrested Sanford Wallace, who plead guilty to using phishing attacks via 27 million spam messages on Facebook. But it’s impossible to capture all cybercriminals, so organizations will have to do their part to stay secure and avoid phishing attacks.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…