What would that number be if you added in lost productivity, intellectual property, disruption of services?
RSA just released their 2013 Fraud Report, which estimates global losses from phishing at $1.5B. Big numbers get headlines, but I think they are grossly underselling the figure.
First, let’s look at what this represents: According to the stats, it’s mostly consumer fraud losses (thus the name of the report). That means hijacked accounts, stolen credit/debit card numbers, and some unfortunate souls who actually sent money to that relative on vacation claiming to have lost their passport.
But that figure is dwarfed by the true cost of phishing. Lost intellectual property and compromised government secrets are probably the most egregious yet unquantifiable aspects of the aftermath. Read through the recent Mandiant APT1 report (PDF here), and you’ll see several examples of China’s success in exfiltrating tons of data.
The troubling consistency? Almost every instance started with a spear phishing attack.
Many of the companies we speak with rarely have a data breach due to phishing, but they are still very motivated to decrease employee vulnerability — precisely because there are so many other variables these attacks impact. Even if data itself is untouched, there can be hours, days, even weeks of lost employee productivity because a detected breach triggers investigations to confirm nothing bad happened. Then there’s the time spent cleaning up an infected system, and resetting employee accounts. This all costs time and talent diverted from meeting the normal, essential responsibilities of both the affected employees and IT personnel.
It’s hard to track and measure that kind of impact, but we all understand the insidious opportunity cost of a compromised network, even if there wasn’t a bit of data bothered. One of our customers has a three-person security team that spends 30-40% of its time dealing with phishing-related activities. Any reduction in compromise delivers immediate benefits in time and expenses saved, even when data remains untouched.
The takeaway? The value of lost data itself is not the final measurement of phishing attack impact. Consider all the other variables that can cost your organization big time, even if the information itself remains safe, and you can start to see the real value of employees trained to resist spear phishing.