Successful phishing attacks can lead to costs from loss of employee productivity and credential compromise, among other factors, which together may cost an average sized company $3.77 million (£2.4m) per year.
"In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks. This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these", says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "As the threat landscape continues to intensify and phishing tactics become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack".
As a result of training provided by Wombat, Ponemon estimates a cost saving of $1.8 million (£1.1m) or $188.40 (£122) per user. If companies paid Wombat's standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determined a substantial net benefit of $184.7 per user - an annual rate of return on investment of 50X.
Other findings include the average total cost for a company to contain malware is $1.9 million (£1.2m) per year. Uncontained malware can cost an average-sized company as much as $105.9 million (£68.6m). The cost of business disruption due to phishing is $66.9 million (£43.4m) and employees waste an average of 4.16 hours annually due to phishing scams.
The average annual cost to contain a credential compromise that resulted from a successful phishing attack is $381,920 (£247,493). An uncontained credential compromise could cost a company as much as $105.9 million (£68.6m).
"This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption", says Joe Ferrara, President and CEO of Wombat Security Technologies.
"This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organisation".
The full report, The Cost of Phishing and the Value of Employee Training is available on the Wombat Security website.