IT Vs. The Big Phish: Study Finds Split On Security Risk

In theory, C-level executives should be less worried about phishing than IT people who have to deal with it.

But they’re not — 38% of decision-makers rank phishing as the highest priority for their companies, versus only 9% of practitioners, according to Robust Email Security Requires Alignment Between Security Practitioners And Decision Makers, a study by security firm Ironscales in partnership with Osterman Research.

Why this split? 

It may be that those in the trenches are more focused on the technical details of phishing and feel they have a handle on it, whereas C-suite types sweat over the business risk — the big picture, the study notes. 

They’re right to be concerned about it. The average firm with 5,000 employees or more spends over $106,000 per year on labor alone to fight phishing emails, or $8,900 per month. That doesn’t take into account the fiscal damage caused by data breaches.

But let’s be fair — 68% of IT people see it as a high priority, compared with 51% of the decision makers. It depends on how you define “high” and “highest.”



In another disconnect, 49% of IT pros say they can handle five or more phishing emails a day. But only 31% of decision makers feel they can.

In contrast, 29% of the decision makers believe their firm can handle three phishing attempts per day, compared to 19% of the practitioners.

Also, decision makers are more likely to say it’s difficult or very difficult to hire and retain people with security skills. That may be because it’s the top honchos who have to make the hires, not the practitioners.

The study also found that security analysts spend 24% of a 40-hour work week detecting or dealing with phishing emails. 

In addition, only one in five companies continuously updates its email security policies in a typical month. 

For 70% of firms, it takes over five minutes to remove a phishing attack from a corporate mailbox. That’s compared to an average time-to-click of 82 seconds.

Almost 60% of firms train their users on email security protocols twice per year at most, while 33% do so monthly or continuously. And 70% use manual processes only.

Add it all up, and 75% cannot act on phishing intelligence automatically in real-time.

What’s more, 90% cannot orchestrate phishing intelligence from multiple sources in real time “in the context of” their overall email security solutions. 

That may be partly due to the plethora of tools being used — 3.5 per company, although decision makers put the number at 2.8 and practitioners put the total at 3.8. 

“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” says Michael Osterman, principal analyst at Osterman Research.

Osterman adds that “decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.” 

Osterman Research surveyed 252 security professionals from the United States and the United Kingdom.




1 comment about "IT Vs. The Big Phish: Study Finds Split On Security Risk".
Check to receive email when comments are posted.
  1. Craig Mcdaniel from Sweepstakes Today LLC, March 11, 2020 at 1:12 a.m.

    I have been sending Cox email about 10 to 15 phishing emails per day for the last 3+ months. Here is the real underlining probelem.  All are using contents that have affiliate advertising. The pictures and logos are legit, the links are not. 2. All come through the same domain registratar located in Arizona. This are the cheap domains that can be bought for less than $2.00 per. The owner of these hundreds are located in Las Vegas. All of this can be verified by 

     The point here is the phishing emails can be solved by going after the head of the snake. The companies supporting the phishing. Individual State Attorney General could but haven't? Because it is easy to write about the problems but acting on them is not being done. The other problem is there are tech companies who should be going after the bad guys I simply found but are making more money by not saying who are behind these phishing attacks.

Next story loading loading..