• by Ray Schultz , Columnist, March 10, 2020

In theory, C-level executives should be less worried about phishing than IT people who have to deal with it.

But they’re not — 38% of decision-makers rank phishing as the highest priority for their companies, versus only 9% of practitioners, according to Robust Email Security Requires Alignment Between Security Practitioners And Decision Makers, a study by security firm Ironscales in partnership with Osterman Research.

Why this split? 

It may be that those in the trenches are more focused on the technical details of phishing and feel they have a handle on it, whereas C-suite types sweat over the business risk — the big picture, the study notes. 

They’re right to be concerned about it. The average firm with 5,000 employees or more spends over $106,000 per year on labor alone to fight phishing emails, or $8,900 per month. That doesn’t take into account the fiscal damage caused by data breaches.

But let’s be fair — 68% of IT people see it as a high priority, compared with 51% of the decision makers. It depends on how you define “high” and “highest.”

In another disconnect, 49% of IT pros say they can handle five or more phishing emails a day. But only 31% of decision makers feel they can.

In contrast, 29% of the decision makers believe their firm can handle three phishing attempts per day, compared to 19% of the practitioners.

Also, decision makers are more likely to say it’s difficult or very difficult to hire and retain people with security skills. That may be because it’s the top honchos who have to make the hires, not the practitioners.

The study also found that security analysts spend 24% of a 40-hour work week detecting or dealing with phishing emails. 

In addition, only one in five companies continuously updates its email security policies in a typical month. 

For 70% of firms, it takes over five minutes to remove a phishing attack from a corporate mailbox. That’s compared to an average time-to-click of 82 seconds.

Almost 60% of firms train their users on email security protocols twice per year at most, while 33% do so monthly or continuously. And 70% use manual processes only.

Add it all up, and 75% cannot act on phishing intelligence automatically in real-time.

What’s more, 90% cannot orchestrate phishing intelligence from multiple sources in real time “in the context of” their overall email security solutions. 

That may be partly due to the plethora of tools being used — 3.5 per company, although decision makers put the number at 2.8 and practitioners put the total at 3.8. 

“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” says Michael Osterman, principal analyst at Osterman Research.

Osterman adds that “decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.” 

Osterman Research surveyed 252 security professionals from the United States and the United Kingdom.