On average, organizations spend up to 60 minutes dealing with each phishing email identified in their email infrastructure, according to a new report by Osterman Research. Credit: Andreus / Getty Images / Clker-Free-Vector-Images As phishing attacks increase, preventing them from doing damage is proving costly for organizations. Phishing-related activities are consuming a third of the total time available to IT and security teams and costing organizations anywhere between $2.84 and $85.33 per phishing email, according to a new report by Osterman Research.The report does not calculate the cost of damage caused by phishing, rather the productivity loss of IT and security teams.On average, organizations spend 16-30 minutes dealing with each phishing email identified in their email infrastructure, said the report, commissioned by email security firm Ironscales.Osterman based its calculations on a poll of 252 IT and security professionals in the US in June 2022. “The number of phishing emails that hit a specific organization each day is dependent on a myriad of factors, including the industry and geography the company is in,” said Ian Thomas, VP of product marketing at Ironscales. How to calculate the cost of a phishing emailWhile calculating the cost of dealing with phishing in IT and security teams, Osterman Research determined the average salary and benefits offered to an IT and security professional. To do so, it created a composite based on the roles reflected in the survey who spend time each week dealing with phishing at their organization. These roles include IT security manager, IT manager, email security manager, security manager, email security administrator, SOC manager, and SOC analyst. The report calculated that a composite IT and security professional costs $136,528 per year in salary and benefits, or $68.26 per hour.“The average cost per phishing email is calculated by taking the midpoint between the range of the number of minutes, multiplied by the average hourly rate. For example, the midpoint for the ‘5-15 minutes’ range is 10 minutes, so 10 minutes of $68.26 = $11.38. The midpoint for the 46-60 minutes range is 52.5 minutes. For the ‘More than 60 minutes’ option, I selected 75 minutes as the calculation point,” Thomas said. Based on this calculation, the report concluded that organizations spend anywhere between $2.84 per phishing email to $85.33 per phishing email, depending on the amount of time they spent on handling such mails.As the number of IT and security professionals in an organization increases, the cost of phishing-related activity also increases. An organization with five IT and security professionals is currently paying $228,630 of annual salary and benefits to handle phishing, the report said, while an organization with 10 IT and security professionals is paying $457,260 per year to handle phishing. This could go up to $1.14 million a year for an organization with 25 IT and security professionals.Most organizations spend up to 60 minutes per phishing emailThe report specified that that 70% of organizations spend 16-60 minutes on each phishing email. This covers the phishing lifecycle from the initial discovery of a potential phishing email to its complete removal from the environment.On average, phishing-related activities consume one-third of the working hours available each week for the IT and security teams at their organization. This equates to $45,726 in salary and benefits paid per IT and security professional to handle phishing, the report noted. One-third of survey respondents said they believe the current and expected levels of phishing represent a “threat” or “extreme threat” to them. While the current level of threat has declined over the past 12 months, the report said this could be reflective of the shift at many organizations towards office-based work again, where phishing risks are lower than for remote workers.Nevertheless, over the next 12 months, 67% of organizations polled by Osterman said they expect the time spent on phishing emails per week for IT and security teams to stay the same or increase. “Because phishing attacks will almost certainly become more numerous, more sophisticated, and better able to bypass traditional email security detection, a better interpretation of the data presented is that it indicates the desire of how respondents’ organizations want to respond to the phishing threat and not the nature of phishing attacks themselves.” Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe