If you’ve been home sick and watching TV for the last 43 years, you’ve probably caught at least one episode of “The Price is Right,” the game show where contestants have to guess what a product costs in order to win it as a prize.
If you’re an IT security professional or email administrator who wants to “Come on down!” and take a guess at what a spear phishing attack costs, this article will help you consider some expenses you might not have thought about before. To illustrate what a spear phishing attack might cost you, we’re going to use a hypothetical business with $100 million in revenue that suffers a breach of 50,000 customer records in the attack.
What is “spear phishing,” anyway? Briefly, spear phishing is a variant on phishing (the use of email to lure recipients in clicking on links) that employs specific references to people and projects that the recipients knows. An email from a “friend” turns out to be fake, concealing a link that embeds spyware on the recipient’s device. Spear phishing has been a preferred vector of penetration for sophisticated criminal gangs who get inside large corporations and steal login credentials and data.
Spear phishing attacks can be costly. Business impacts include cash settlements of litigation, loss of intellectual property, reputation damage and regulatory penalties. Some of these costs may be covered by insurance, but there will surely be out of pocket outlays as well. We are going to try to put dollar figures on a number of less obvious and intangible costs of a data breach resulting from spear phishing. For the sake of simplicity, we will assume that this attack does not trigger any regulatory fines.
IT Department Costs
When something goes badly wrong, your people have to fix it. Using an estimate of 60 staff person hours and 30 outside consultant hours to correct the problem, the spear phishing incident will cost the IT department $8,430, as shown in the table below. This estimate is based on the national average IT salary of $81,000. Repairing the damage will also distract the IT department from other tasks and projects that can drive business profitability.
When big breaches occur, people often sue. Your company will have to respond to litigation. Assuming 175 hours of time spent by in-house counsel, who get paid an average of $200,000 per year, and 500 hours of outside law firm time at $350 an hour, the legal fees for the spear phishing attack will be $192,500. Then, there are the settlements themselves. If 1% of the customers who have had their records breached sue successfully and have to be paid $2500 each, it will cost your company $1,250,000 to settle claims related to the spear phishing attack.
Some companies that suffer a breach purchase identity protection for those who are affected. Anthem Blue Cross and others hired AllClearID for each account holder who had data breached in an attack. AllClearID charges $4.95 per month per account for identity protection. To protect 50,000 identities for a year would cost you $2,970,000. There may be volume discounts available but it will still be a major expense.
A lot of breach victims want or need to call your company to understand what they have to do, what it means to them, and so forth. Answering the phone costs money. If each victim needs to call two times and speak for 7 minutes, you’re looking at 700,000 minutes of call center operator time. At the national average of $1.50 a minute for call center time, that’s a $1.05 million expense stemming directly from the spear phishing attack.
Either by legal requirement or company policy, you may have to notify victims of the breach using postal mail. Follow up letters will also likely be required. If the process requires three letters per victim, at a cost of $2.50 each to prepare and mail, the postal communication cost of the spear phishing attack will be $375,000.
You should not assume that everyone who gets breached is going to stick around and remain your customer. Let’s say that 3% of the victims, or 3,000 customers, hit the road after they lose confidence in your ability to keep their data safe. If each customer has an annual revenue contribution of $250, for example, that will represent a $375,000 cost from the spear phishing attack.
Reputation or brand damage is usually considered to be intangible, but it needn’t be. With the disclaimer that this is but one of several ways of estimating the value of a brand, it’s possible to argue that reputation basically translates into the ability to charge higher prices. Think about it like this: What’s the difference in price between a can of brand name soda and a no-name brand? Perhaps it's five cents. That’s not an accident. Consumers will pay five cents more for the brand name. It is the same across much of the consumer economy. Branded items cost more, and generate higher margins for their producers. That’s one of the reasons companies invest in brand building. In our example of a $100 million company, let’s say that the spear phishing attack hurts the brand to the extent that gross margin shrinks from 40% to 39%. That’s a $1 million loss.
Totaling it Up
The cost of this hypothetical spear phishing attack total is $7,220,930. And, what’s more, dealing with the incident will distract many people from other work. This will affect growth, morale and strategy.
Of course, this is an estimate based on numerous assumptions which will vary greatly on a case-by-case basis. However, the total costs look to be substantial when there is a serious incident.
Defending Against Spear Phishing Attacks
Vade Secure’s anti-phishing solution offers a unique defense against spear phishing attacks. It can be layered on top of existing anti-spam solutions to provide better overall email protection.