If you’ve been home sick and watching TV for the last 43 years, you’ve probably caught at least one episode of “The Price is Right,” the game show where contestants have to guess what a product costs in order to win it as a prize. If you’re an IT security professional or email administrator who wants to “Come on down!” and take a guess at what a spear phishing attack costs, this article will help you consider some expenses you might not have thought about before. To illustrate what a spear phishing attack might cost you, we’re going to use a hypothetical business with $100 million in revenue that suffers a breach of 50,000 customer records in the attack.
What is “spear phishing,” anyway? Briefly, spear phishing is a variant on phishing (the use of email to lure recipients in clicking on links) that employs specific references to people and projects that the recipients knows. An email from a “friend” turns out to be fake, concealing a link that embeds spyware on the recipient’s device. Spear phishing has been a preferred vector of penetration for sophisticated criminal gangs who get inside large corporations and steal login credentials and data.
Spear phishing attacks can be costly. Business impacts include cash settlements of litigation, loss of intellectual property, reputation damage and regulatory penalties. Some of these costs may be covered by insurance, but there will surely be out of pocket outlays as well. We are going to try to put dollar figures on a number of less obvious and intangible costs of a data breach resulting from spear phishing. For the sake of simplicity, we will assume that this attack does not trigger any regulatory fines.
IT Department Costs
When something goes badly wrong, your people have to fix it. Using an estimate of 60 staff person hours and 30 outside consultant hours to correct the problem, the spear phishing incident will cost the IT department $8,430, as shown in the table below. This estimate is based on the national average IT salary of $81,000. Repairing the damage will also distract the IT department from other tasks and projects that can drive business profitability.