Thursday, October 27, 2011

Social engineering risks explored

Check Point has published the results of a new survey revealing that 42 percent of UK enterprises, and 48 percent internationally, have been victims of social engineering attacks, experiencing 25 or more such attacks in the past two years at a average cost of over £15,000 per incident.

The survey report, ‘The Risk of Social Engineering on Information Security’, shows the most common sources of social-engineering threats are phishing emails (47 percent) and social networking sites (39 percent).

The survey found that new employees (52 percent) and contractors (44 percent) were cited as the most susceptible to social engineering techniques, emphasising that hackers target staff that they suspect are the weakest security links in organisations, using social networking applications to gather personal and professional information on employees to mount spear phishing attacks.

According to the global survey of over 850 IT and security professionals, 86 percent of businesses recognise social engineering as a growing security concern.

A majority of respondents (51 percent) cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge.

The highest rate of attacks was reported by energy and utility organizations (61 percent) with non-profit organisations reported the lowest rate (24 percent), reinforcing gain as the key reason for attacks.

“Although the survey shows that nearly half of enterprises know they have experienced social engineering attacks, 41 percent said they were unsure whether they had been targeted or not.

Because these types of attacks are intended to stay below an organization’s security radar, the actual number of organisations that have been attacked could be much higher. Yet 44 percent of UK companies surveyed are not currently doing anything to educate their employees about the risks, which is higher than the global average,” said Terry Greer-King, UK managing director for Check Point.

Further findings from the survey report are:

  • The threat of social engineering is real – 86 percent of IT and security professionals (80 percent in the UK) are aware or highly aware of the risks associated with social engineering. Approximately 48 percent of enterprises globally (42 percent in the UK) surveyed admitted they have been victims of social engineering more than 25 times in the last two years.
  • Social engineering attacks are costly – Survey participants estimated each security incident costing anywhere between $25,000 and over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage. 36 percent of UK respondents cited an average incident cost of over $25,000 (£15,000).
  • Lack of proactive training to prevent social engineering attacks – 34 percent of businesses do not have any employee training or security policies in place to prevent social engineering techniques (4 percent in the UK).
  • Financial Gains are the primary motivation of social engineering - Financial gain was cited as the most frequent reason for social engineered attacks, followed by access to proprietary information (46 percent), competitive advantage (40 percent) and revenge (14 percent).
While social engineering techniques rely on taking advantage of a person’s vulnerability, the prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute social engineering attacks.

Greer-King added: “An organization’s employees are a critical part of the security process as they can be misled by criminals, or make errors that lead to malware infections or unintentional data loss. Many organizations do not pay enough attention to the involvement of users, when, in fact, employees should be the first line of defence. A good way to raise security awareness among users is to involve them in the security process and empower them to prevent and remediate security incidents in real time.”

Read the report (PDF).

No comments:

Post a Comment