The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks, according to a new report from the Ponemon Institute.
The report, which surveyed 377 IT professionals in companies ranging in size from less than 100 to over 75,000 employees, showed that about half of the costs were due to productivity losses.
The average employee wastes 4.16 hours a year on phishing scams.
In addition, 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential, 10 percent was the direct costs of addressing compromised credentials, 9 percent was the risk of a data breach caused by malware, and the remaining 6 percent were the direct costs of containing malware.
"Everyone understands the cost of a breach, and one of the biggest threat vectors is phishing," said Joe Ferrara, CEO at Wombat Security Technologies, which sponsored the report.
According to the latest Verizon data breach report, phishing is the second most common threat vector, implicated in around a quarter of all data breaches last year.
"But I don't think anyone really had a handle on all the costs layered into it," said Ferrara.
But the Ponemon report wasn't all bad news. Companies can substantially reduce their phishing-related costs with employee education, such as the automated training offered by Wombat, which was spun off from Carnegie Mellon's CyLab cyber security research center.
Companies who roll out training programs see improvements of between 26 and 99 percent in their phishing email click rates, with an average improvement of 64 percent, according to Ponemon.
Adding in a 25 percent drop in retention, Ponemon calculated a phishing-related cost savings of $188 per user for the average company.
This translates to $77 per user for the lowest-performing training program.
At a cost of less than $4 per employee, that results in a 20-fold return on investment over a year from the worst-performing training program, and a 50-fold return from the average program.
This calculation does not include the training time, however. According to Ferrara, it takes a user about 30 minutes to go through all three of the company's anti-phishing training modules, and the "teachable moment" of interacting with a simulated phishing email is under a minute.
With that adjustment, the total savings drops to around $137 for the average training program, and $24 for the least effective one, making for a 37-fold and seven-fold return on investment, respectively.
"The important thing to keep in mind is that the potential loss after a phishing attack is far greater and far more devastating than just the loss of productivity," Ferrara added.
A good way to get employees motivated to do the training is to first run a simulated phishing attack, said Ferrara.
Not only does that provide a baseline metric for how often phishing emails are clicked on, but it also demonstrates to employees that they are vulnerable.
"We had a customer who ran a simulated attack against their IT organization and they had a huge failure rate -- it was a real eye-opener for them -- more than 50 percent of the people failed," said Ferrara. "We used that as motivation to get them to take training. As long as you don't hammer them over the head or belittle them, you can get a great response."