On average, organizations spend up to 60 minutes dealing with each phishing email identified in their email infrastructure, according to a new report by Osterman Research. Credit: Andreus / Getty Images / Clker-Free-Vector-Images As phishing attacks increase, preventing them from doing damage is proving costly for organizations. Phishing-related activities are consuming a third of the total time available to IT and security teams and costing organizations anywhere between $2.84 and $85.33 per phishing email, according to a new report by Osterman Research.The report does not calculate the cost of damage caused by phishing, rather the productivity loss of IT and security teams.On average, organizations spend 16-30 minutes dealing with each phishing email identified in their email infrastructure, said the report, commissioned by email security firm Ironscales.Osterman based its calculations on a poll of 252 IT and security professionals in the US in June 2022. “The number of phishing emails that hit a specific organization each day is dependent on a myriad of factors, including the industry and geography the company is in,” said Ian Thomas, VP of product marketing at Ironscales. How to calculate the cost of a phishing emailWhile calculating the cost of dealing with phishing in IT and security teams, Osterman Research determined the average salary and benefits offered to an IT and security professional. To do so, it created a composite based on the roles reflected in the survey who spend time each week dealing with phishing at their organization. These roles include IT security manager, IT manager, email security manager, security manager, email security administrator, SOC manager, and SOC analyst. The report calculated that a composite IT and security professional costs $136,528 per year in salary and benefits, or $68.26 per hour.“The average cost per phishing email is calculated by taking the midpoint between the range of the number of minutes, multiplied by the average hourly rate. For example, the midpoint for the ‘5-15 minutes’ range is 10 minutes, so 10 minutes of $68.26 = $11.38. The midpoint for the 46-60 minutes range is 52.5 minutes. For the ‘More than 60 minutes’ option, I selected 75 minutes as the calculation point,” Thomas said. Based on this calculation, the report concluded that organizations spend anywhere between $2.84 per phishing email to $85.33 per phishing email, depending on the amount of time they spent on handling such mails.As the number of IT and security professionals in an organization increases, the cost of phishing-related activity also increases. An organization with five IT and security professionals is currently paying $228,630 of annual salary and benefits to handle phishing, the report said, while an organization with 10 IT and security professionals is paying $457,260 per year to handle phishing. This could go up to $1.14 million a year for an organization with 25 IT and security professionals.Most organizations spend up to 60 minutes per phishing emailThe report specified that that 70% of organizations spend 16-60 minutes on each phishing email. This covers the phishing lifecycle from the initial discovery of a potential phishing email to its complete removal from the environment.On average, phishing-related activities consume one-third of the working hours available each week for the IT and security teams at their organization. This equates to $45,726 in salary and benefits paid per IT and security professional to handle phishing, the report noted. One-third of survey respondents said they believe the current and expected levels of phishing represent a “threat” or “extreme threat” to them. While the current level of threat has declined over the past 12 months, the report said this could be reflective of the shift at many organizations towards office-based work again, where phishing risks are lower than for remote workers.Nevertheless, over the next 12 months, 67% of organizations polled by Osterman said they expect the time spent on phishing emails per week for IT and security teams to stay the same or increase. “Because phishing attacks will almost certainly become more numerous, more sophisticated, and better able to bypass traditional email security detection, a better interpretation of the data presented is that it indicates the desire of how respondents’ organizations want to respond to the phishing threat and not the nature of phishing attacks themselves.” Related content brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe