With the vast majority of businesses implementing security awareness training, phishing simulation, and the ability for employees to report phishing, it’s critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated. To that end, it’s crucial for businesses to streamline the process of triaging, investigating, and remediating phishing incidents to avoid flooding the security operations center (SOC) with more phishing incidents to investigate than it can handle. Otherwise, intelligence regarding breaches may go undiscovered until it is far too late.
As part of the introduction of Agari Phishing Response to the market, ACID conducted a survey of 325 organizations ranging in size from 1,000 employees to 209,000 employees. Of the respondents, 237 were based in the United States with 83 based in the United Kingdom.
The respondents included a combination of both Agari customers and non-customers—74 and 251 respectively. The survey asked a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q1 2019 report highlights the analysis of responses to these questions.
Respondents report that 98% of employees have the ability to report phishing attacks, and often even have a convenient button and/or abuse inbox to forward suspicious messages to the security team. Eighty-eight percent of organizations report using a phishing simulation vendor to test employees’ ability to detect a phishing incident after participating in security awareness training.
While the most common method available to employees to report phishing is an firstname.lastname@example.org inbox, most companies offer multiple other methods, including filing a help desk trouble ticket, using the native email client such as the Microsoft Office 365 example, or using a third-party email client button like the KnowBe4 phishing button example.
Whether the phishing incident is reported through an inbox or phishing button, the phishing email itself is forwarded to some combination of a security operations center (SOC), help desk support center, for investigation and remediation team. In some cases, the mail platform (Microsoft Office 365 or Google Suite) or phishing simulation vendor also receives a copy of the reported phishing messages.
With 98% of employees having the ability to report phishing and 88% being tested regularly on their ability to identify phishing incidents, the next logical question to answer is “What is the volume of employee reported phishing incidents?”
Based on the 304 organizations we surveyed—222 in the United States and 82 in the United Kingdom—employees report more than 23,000 phishing incidents per organization on an annual basis, with a slightly higher number of phishing incidents in UK-based companies.
30% of respondents reported phishing incidents to be between a common range of 12,000 to 36,000 per year.
While employees frequently report phishing, the emails they report are not always true phishing incidents.
Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email is often reported as phishing—even when they are not.
When we asked organizations “what percentage of employee phishing reports were determined to be false positives?” companies reported that their false positive rate was 50% on average, with a slightly higher false positive rate in UK-based companies.
In the survey, respondents were asked: “For employee phishing reports, how much time on average does it take a SOC analyst to triage, investigate, and remediate?” This question was asked in the context of both true phishing incidents and false positive reports.
The overall average across all phishing incidents was 4.9 hours to triage, investigate, and remediate. On average, SOC analysts spent 3.96 hours triaging a false positive, and 5.88 hours triaging, investigating, and remediating a valid phish.
The triage process typically involves a quick investigation of the sender domain and address, URLs, and attachment to determine if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgment of the analyst.
By comparing the average false positive to true phish time, we estimate that 67% of SOC analyst time is spent in the triage phase of the process, while only 33% is spent on forensic analysis and remediation.
To determine if SOCs are adequately staffed to handle phishing incidents in a timely manner, respondents were asked about the size of the SOC team.
A full 94% of organizations reported having at least one dedicated SOC analyst. As you might expect, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.
For example, 41% of organizations with more than 10,000 employees had 20 or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.
Based on the average number of phishing incidents and the average time to remediation (4.9 hours), the average SOC needs 54 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 12.5, there is a staffing gap of at least 41.5 full-time equivalents (FTEs). This gap currently results in most organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.
According to the 2018 Verizon Data Breach Investigations Report (DBIR), the entry point for 96% of data breaches is email. The average cost of a data breach in the United States is $7.9 million, with a 14% probability of a breach occurring annually, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the probability of 14%, the annual breach risk is $1.1 million.
Meanwhile, the DBIR finds that the average data breach results in the exfiltration of data within minutes or hours—while the average time-to discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.
As part of the phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, businesses felt they could reduce breach risk by 50% by automating the process of phishing incident response.
A 50% reduction in breach risk would result in a $551,025 decrease in annual breach risk for the average business.
Based on the data captured in the phishing incident response survey, we have all of the factors needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
To calculate a custom ROI, visit www.agari.com/roi
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $4.86 million and an average annual breach risk of $1.1 million—for a total cost of $5.96 million per company. Based on the results we’ve seen with our enterprise clients, it is possible to automate the time spent by SOC analysts per phishing incident by 90% or more. In addition, survey respondents estimate that the acceleration in time to remediate phishing incidents results in a 50% reduction in breach risk. Thus, the return on investment of the time saved by SOC analysts translates to $4.37 million and the reduction in breach risk represents a savings of $550,000—for a total savings of $4.92 million.