Security teams spend significant amounts of time and effort to fend off phishing email attacks, yet the lengthy timeframes needed to manually manage the problem can pose heightened risks for many organizations.
Three-quarters of organizations today (75 percent) cannot act on phishing intelligence automatically in real time, and nearly 90 percent cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solutions, according to a recent survey report by Osterman Research.
Despite the use of simulated phishing to train users, 47 percent of users still click on malicious links, revealing that even with a focus on applied training exercises, nearly half of users continue to be fooled. In addition, the security skills shortage is clearly impacting the ability of security teams to adequately deal with phishing. For an organization of 5,000 email users in which the average user reports only one phishing email per week, the result would be 1,000 emails that need to be reviewed each week – creating an overwhelming burden for most organizations.
The root problem here involves the substantial time it takes for most organizations to detect, investigate and remediate phishing emails. On average, organizations spend 9.6 person-hours per 1,000 employees each week on the process. And more than 70 percent of organizations surveyed still only use manual processes to review user-reported phishing emails, making the solution far too labor-intensive.
Based on a typical workweek of 40 hours, 24 percent of the security team’s time is spent just investigating, detecting or remediating phishing emails – more than one full workday per week. It’s also important to note that some phishing emails go undetected, resulting in time not spent managing them due to a lack of visibility and intelligence about phishing activities.
Even given a considerable commitment of security staff time, nearly two-thirds of organizations (65 percent) take more than five minutes to detect a typical phishing email after it enters their networks. Nearly one-third (30 percent) take from six to 30 minutes to identify a phishing attempt, while another 14 percent take from 31 to 60 minutes for a detection.
Assuming that the average annual salary for a security analyst is $85,799, the time required to investigate, detect or remediate emails works out to a total time expenditure of 515 person-hours each year per 1,000 employees, or a total cost of $21,235 per 1,000 employees. That equals a labor-only cost of $1.77 per employee per month just to deal with the investigation, detection and remediation of phishing emails. Therefore, an organization of 5,000 employees will spend more than $106,000 annually on labor alone to address its phishing emails.
The survey findings also show that some important automated capabilities to manage phishing and other security issues are sorely lacking. For example, 45 percent of the organizations surveyed are not using threat intelligence feeds and 53 percent lack real-time visibility into zero-day phishing attacks. Their current technologies, practices and processes are often unable to fully address the problem, making phishing the primary security concern.
What’s needed to address this problem is a new approach to threat intelligence that is more automated, with higher levels of accuracy. By evaluating many more characteristics of each site or link in the cloud, such a platform can immediately render a definitive verdict: Malicious or Benign. This approach is much different than legacy threat feed approaches that only offer a probability of being malicious and suspicious. By taking a binary Yes/No approach, new security strategies can provide a blocking threat feed with a continuously updated list of zero-hour phishing email links, URLs, domains, and IPs, including indicators of compromise to stop attacks before they begin.
A real-time threat intelligence feed can instantly sift through all the dynamic data collected from multiple proprietary sources and proactive threat hunting. Another major benefit of a real-time threat feed for instant blocking is the output of near-zero false positives, which helps protect against blacklisting legitimate websites. Due to damaging time delays, organizations that continue to cling to outdated manual security processes are essentially inviting new phishing threats into their networks.
