As incident response becomes more manual, there is an 18% quarter over quarter increase in the time required for SOC analysts to respond to employee-reported phishing notifications.
Employees report an average 33,108 incidents annually, a 14% spike over the quarter.
With an increase in security awareness training, there is an expected 16% jump in false positives from employee-reported incidents.
According to Verizon’s 2019 Data Breach Investigations Report, over 90% of all breaches start with a phishing email. And Ponemon Institute estimates the probability of falling prey to at least one breach is now 14% per year. With higher volumes of reported attacks taking swamped SOCs longer to remediate, these estimates may ultimately prove optimistic. Worst of all, the fault may in part stem from the very instruments businesses are putting in place to minimize these same risks.
Call it the power of unintended consequences. In addition to security awareness training and phishing simulations, the vast majority of businesses now provide employees with the ability to report suspected phishing emails with push-button ease. More often than not, the result is a mountain of employee-reported phishing emails that bury SOCs with more incidents to investigate, triage, and remediate than they can handle.
But make no mistake: Employee reporting is a key mechanism for detecting and containing breaches before data is exfiltrated. The challenge is to find ways to best leverage this threat feed to become the critically-important asset it is. But that will require business to also find ways to streamline and automate the processes involved with remediating attacks. Otherwise, the time it takes to discover and resolve email attacks and subsequent breaches will only grow longer and more perilous as corporate data, intellectual property, and other competitive information is exfiltrated by cyber-thieves and monetized in any number of nefarious ways.
ACID’s quarterly survey of SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees is designed to gain insights on the incident response issues facing enterprises. This quarter’s survey participants include 175 respondents in the United States and 75 in the United Kingdom.
The survey asks a battery of questions regarding employee-reported phishing—including reporting mechanism, total volume, false positive rates, existing tools for phishing incident response, and time required to investigate phishing incidents. This section of the Q3 2019 Email Fraud and Identity Deception Trends report highlights analysis of these survey responses.
A full 98% of this quarter’s survey respondents say employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious emails to the SOC team. Ninety-five percent of last quarter’s survey respondents reported having this ability, reflecting a possible 3% increase in organizations utilizing these tools.
Meanwhile, respondents to this quarter’s survey indicate that 88% of their organizations use phishing simulations to test employees’ ability to detect a phishing attack after participating in security awareness training. The remaining 12% respondents report their organization does not conduct such tests. That’s a 4% drop compared to responses from participants in last quarter’s survey. Given last quarter’s survey reflected a 4% increase in organizations offering such tests, the combined surveys suggest adoption rate for phishing simulations is flat in 2019.
In most cases, phishing simulations are implemented via an outside vendor in order to provide an objective assessment of security vulnerabilities
Employee phishing reporting doesn’t appear to be a one-size-fits-all proposition. While the most common mechanism available to employees to report phishing is an abuse@ company.com inbox, most companies offer a mix of additional reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button.
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center for investigation and remediation. However, in some cases, the mail platform provider (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.
The ability for employees to report suspected phishing incidents can be an important tool for SOC analysts. But just how many suspected attacks are reported? What about accuracy?
Based on the results to this quarter’s survey, respondents report roughly 33,108 phishing incidents per organization on an annual basis, with a slightly higher number of phishing incidents in UK-based companies—a reverse from last quarter’s survey results.
The suspect emails employees report are not always true phishing incidents. The fact is, security training can sometimes make users zealous enough to report any questionable email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. Over the last quarter, the false positive rate for employee-reported phishing incidents jumped 16% on a global basis. In the United States, the rate rose from 56% to 65%, while the false positive rate in the United Kingdom saw no increase at all.
It is expected that SOC analysts must triage, investigate, and remediate threats—whether they are false positives or true attacks. On a global basis, it now takes an average 6.4 hours to complete the process. In the United States, the rate is up nearly twenty minutes while in the United Kingdom, the rate is up more than half an hour.
On average, SOC analysts now spend 6.13 hours triaging a false positive, compared to 5.58 hours in the previous quarter. And they spend an average 7.31 hours triaging, investigating, and remediating a valid phish—an increase of over half an hour during the same time period.
Bombarded by an endless stream of phishing incidents, the average number of SOC analysts per organization topped 15.3 during the second quarter of 2019—up from 14.6 in the previous quarter.
More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.
For example, 41% of organizations with more than 10,000 employees have twenty or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.
Based on the average 33,108 phishing incidents organizations face annually, along with the average time to remediate these incidents, the average SOC needs 110 analysts working forty hours a week on nothing but incident response to successfully remediate all reported emails. But since the average number of SOC analysts in our survey is 15.3, that means there’s a staffing gap of at least 95 full-time employees. This gap currently results in failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.
According to the 2019 Verizon Data Breach Investigations Report (DBIR), more than 90% of all data breaches begin with a well-targeted email. For US-based organizations, the average cost of each data breach is now $8.19 million, with a 14.8% probability of suffering at least one breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $8.19 million by the probability of 14.8%, the annual breach risk is $1.2 million.
Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while it often takes months for the breach to be discovered. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.
This could easily save 90% of SOC analysts’ time, which could then be applied to far more important initiatives.
As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average 54% by automating the process of phishing incident response.
In the United States, that figure rose 3% from the previous quarter, to an average 56% reduction in breach risk, while in the United Kingdom, estimates rose 4% during the same period, to an average 48% reduction. On a global basis, a 54% reduction in breach risk would result in a $654,545 decrease in annual breach risk for the average business.
Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
To calculate a custom ROI for your organization, visit www.agari.com/roi
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $9.9 million and an average annual breach risk of $1.2 million—for a total cost $11.1 million per company.
By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by up to 54%, organizations could save $8.9 million in SOC costs and $654,545 in breach risk—for a total savings of $9.55 million annually.