Close this search box.

Office 365 Phishing, BEC, & Ransomware Survey Highlights

Reading a complete report is not for everyone. If that includes you, here are the key takeaways from the 2022 Osterman report on Phishing, BEC, and Ransomware Threats for Microsoft 365 Customers.

“Less than half the organizations ranked their currently deployed email security solutions effective. Respondents felt least confident in their ability to prevent BEC attacks followed by mass-mailed phishing campaigns.”

It’s alarming that such a large proportion of organizations feel this way about their current solutions, considering how damaging a successful breach can be.

One would expect organizations to feel less confident preventing BEC attacks due to the nature of delivery. BEC attacks are harder to detect as they do not involve malware or malicious URLs that can be more easily analyzed.

“89% of organizations experienced one or more successful breach types during the past 12 months.”

There was a significant increase in the average number of successful breaches compared to the 2019 Osterman Report, rising from 11.3 to 21.6. In addition, Microsoft 365 credentials were the most frequent breach type, occurring almost three times more often than any other incident. A few things might help explain this:

  • The vast increase in the volume and frequency of email-borne threats throughout the pandemic
  • Highly targeted phishing, business email compromise, and ransomware are becoming more sophisticated and elusive every year.
  • Only 22% of organizations in this study managed to analyze all reported messages, leaving ticking time bombs in users’ inboxes.
  • If less than half the organizations are not confident in their currently deployed email security solutions, then the chances are they are vulnerable.

“98% of organizations have given their users a way to report suspicious messages.”

Great stuff, but somebody must investigate these suspicious messages. Time = Money

“60% of organizations only train their users on email threats 1-2 times per year.”

In all walks of life, the harder you work at something, the better you will become. Unfortunately, at this frequency, employees are not going to feel confident enough to apply their training, and therefore the quality of forwarded messages will likely be not as high.

“84% of organizations reported that security awareness training has massively increased the number of messages reported as suspicious at a 41% false-positive rate.”

And there you have it. If, at any point, users are not sure whether something is malicious or clean, they will report it to the help desk or SOC. A further reason the number of alerts is so high is that users often feel victimized as the problem by organizations. This perception creates a culture of fear resulting in users reporting messages to be on the ‘safe side.’

“The number 1 concern for security managers is the time it takes to respond to and remediate threats not blocked by current security measures.”

Not surprisingly, considering the amount of time and salary costs of analysts required to remediate successful attacks, remove confirmed threats from mailboxes, and investigate suspicious messages.

Cost of breach:

  • There was an average of 20.6 breaches per year in the U.S and 22.7 breaches per year in the U.K.
  • It took an average of 197 hours to recover from a successful breach in the U.S and 148 hours in the U.K.
  • The average salary plus benefits used was:
    • U.S – $121,744 or $60.87 per hour
    • U.K – £49,661 or £24.84 per hour
  • The total annual average cost to recover from a successful attack is:
    • Number of breaches * number of hours per breach * hourly pay
    • U.S – $247,022
    • U.K – £83,419

Cost of removing confirmed threats:

  • Analysts in the U.S had to remove confirmed threats from mailboxes 22.4 times per 1,000 mailboxes per year and 21.4 times in the U.K.
  • The Osterman Research team assumed that each attack affects 10% of mailboxes or 100 and that it takes 15 minutes to ‘clean up’ each mailbox.
  • The total annual cost of removing threats from mailboxes before they cause a breach was:
    • Number of removal workflows * 15 minutes * number of affected mailboxes
    • U.S – $34,087
    • U.K – £13,284

Cost to investigate suspicious messages:

  • Osterman Research team assumed 5 minutes to investigate a suspicious message
  • Organizations had an average false positive rate of 41%
  • We know from Cyren’s data that analysts in a 1,000 user organization receive a minimum of 6,170 alerts per year.
  • The cost to investigate alerts is:
    • Number of alerts * .08 * hourly pay
    • U.S – $30,045
    • U.K – £12,256

Total Operational Costs to Manage Email-borne Threats:

  • Successful breach costs + removal of confirmed threats costs + investigation costs
  • U.S – $311,154
  • U.K – £107,959

Curious to know how much phishing investigation and incident response costs your organization? Try our incident response calculator.