“What is our organization’s risk from phishing attacks, and how do we reduce that risk?”
In their roles as subject-matter experts (SMEs), security professionals can easily explain the who, what, when, where, and how of phishing attacks — but those details don’t convey the business risk phishing attacks carry or the best next steps for reducing that risk. And the risk can be substantial: The median cost of a phishing attack is $260K. And the cost can be as high as $10M.
So, when business leaders ask about the risk of phishing attacks, it’s critical to remember that they’re not SMEs hired to assess and address the risk; they’re decision makers seeking information about the likelihood that attackers will target the company, the extent to which a phishing attack would impact the company, and the most intelligent next steps to address the risk.
Before an SME can begin to convey that risk to business leaders, he or she must first quantify that business risk. Aberdeen research shows that the best approach to determining phishing attack risk is through a quantitative risk assessment, rather than the popular qualitative risk assessments favored for their understandability.
Though qualitative risk assessments may be easier for decision makers to understand, the qualitative model leads to business decisions being made based on intuition, judgment, and gut instinct. The inverse — quantitative risk assessments — lead to business decisions made based on actionable pieces of the best-available data (for a more granular look at quantitative methodology, please see Reducing the Risk of Phishing Attacks: It’s About Time (November 2017)).
To ensure no factors are overlooked during a phishing risk assessment, adopt the quantitative assessment methodology to deliver the best insight and most accurate risk assessment to your company’s decision makers.
Aberdeen also uses the quantitative risk assessment model, and our research on industry-specific risk of phishing attacks is informed and influenced by empirical, publicly available insights about phishing attacks and data breaches. To learn more, don’t miss our upcoming webinar, Reducing the Risk of Phishing Attacks, which will take place 11 a.m. EST / 4 p.m. GMT on February 22. Join me as I reveal the potential scope of damage incurred in the first 60 minutes of a phishing attack and how Best-in-Class companies reduce and manage this risk.