Organizations that manage to avoid getting hooked by a phishing attack and its associated costs may still be caught up in the net of wider security costs. According to ThreatSim’s 2013 State of the Phish, a survey of 300 IT executives, administrators and information security professionals, 84 percent of organizations have experienced a phishing attack.
Of those attacked, 27 percent rate the impact of the attack as “material” (defined as some form of malware infection, unauthorized access or stolen data from a breach tied to phishing). Another 57 percent rate the impact of the attack as “minimal,” or unsuccessful.
But even a failed attack comes at a cost. While the attack itself may not do much damage, it can still be highly disruptive because of employee downtime and the amount of IT staff time that must be devoted to restoring systems and resetting accounts. One respondent reports that as much 50 percent of a security team’s time can be spent chasing compromised accounts that have “minimal” impact.
So what’s a small fish in a big menacing pond to do? The report data shows that a majority of organizations rely on traditional awareness techniques, such as email advisories (46 percent), webinars or meetings (17 percent) and simulations (12 percent). These campaigns work — the more frequent, the better: Organizations with monthly campaigns in place have seen user click rates on phishing emails fall to 4 percent.