Cyren : The Cost of NOT Getting Phished

by Max Avory

Phishing campaigns continue to become more targeted and sophisticated, evading email gateways and Microsoft 365 Defender, and forcing businesses to increasingly rely on employees to spot suspicious messages. Even if your organization has avoided getting phished (well done, by the way), the odds are your security team spends too much of its time investigating suspicious messages and removing malicious emails.

Security Maturity

The time spent investigating alerts and remediating confirmed threats will be dependent on a company's security maturity level. Relative to phishing, security maturity refers to how a company continually improves its people, processes, and technology involved in mitigating phishing and business email compromise attempts. The level of maturity is based on how optimized and automated an organization is, to handle these types of attacks.

Why Low Security Maturity = High Cost

A company operating at a low maturity level will continue to see an increase in the number of alerts and false positives, especially if they rely entirely on user submitted emails and rules-based detection in a secure email gateway. Whilst security awareness training has done a good job educating employees of the risks, it has also contributed towards the additional number of alerts, in particular false positives being sent to SOC teams by employees.

It takes a lot of effort for a SOC analyst to manually investigate these alerts and remediate confirmed threats. To continue to detect and manually respond to confirmed threats in this fashion is not sustainable and costs a company a lot of time and SOC analyst salary.

Bigger Concerns

Alert fatigue associated with targeted phishing and business email compromise is real. SOC analysts are overwhelmed with the volume of alerts from users, two thirds of which are false positives. It has been widely reported that alert fatigue leads to missed, ignored, or delayed responses which could end up developing into a significant security breach if not caught in time. So much time is being spent triaging phishing alerts that it's leaving CISOs alarmed about other strategic objectives that are being neglected.

It's gotten to the point that security teams are considering a change in profession because of burnout. Stress and anxiety are on the rise caused by the fear of missing an incident, a further reason why the scale of this problem is growing out of control. We know phishing attacks do not always occur in regular business hours and therefore SOC teams must be on call 24/7, mounting to their frustration. Despite the lucrative salaries SOC analysts are earning, the turnover is straining the existing labor shortage in the cybersecurity industry.

Eliminate the Pain and Salary Costs

There are solutions that remove the strain security teams are facing. Existing efforts like security awareness training are not enough alone to fight against phishing. However, implementing a multi-layered approach will reduce not only the number of alerts but also the time it takes to investigate and remediate them.

It's important to detect and classify what gets through (e.g., malicious, suspicious and clean) but by adding a post-delivery detection system (e.g., machine learning). Automating the remediation of confirmed malicious emails and crowd sourcing the analysis of suspicious messages will reduce the volume of alerts that SOC analysts must triage. Further, organizations can outsource incident response to eliminate the investigation burden associated with analyzing suspicious emails. Security awareness training should be used to help create a culture of empowerment and not fear by giving users easy to use security tools to help them apply their security knowledge. This in turn will help reduce the number of false positives submitted by users and simultaneously reduce the number of suspicious emails that go unreported.

Curious to know what phishing investigation and incident response costs your organization? Find out by using our Incident Response Calculator.