Social Engineering Strikes Almost Half of Enterprises, Survey Shows

A new global survey of more 850 IT and security professionals from Check Point Software Technologies Ltd. (a company specializing in Internet security) found that almost half (48 percent) of enterprises it questioned have suffered from vulnerabilities that exploit social engineering -- and suffered more than once. Those surveyed said they had experienced 25 or more attacks over the last two years, at a cost of between $25,000 and $100,000 per security incident.

The report, The Risk of Social Engineering on Information Security, puts phishing and social networking tools at the top of the list of socially-engineering threat sources. Phishing e-mails were popular with (47 percent of respondents), with social networking sites that reveal personal or professional information close behind at 39 percent. The report notes that “social engineering attacks are more challenging to manage since they depend on human behavior and invoice taking advantage of vulnerable employees.” Hackers use several techniques and social networking applications to determine an organization’s “weakest link.”

Enterprises are aware of the problem -- at least in the abstract. According to the survey, 97 percent of security professionals and 86 percent of all IT professionals “recognize social engineering as a growing concern.” Most (51 percent) say financial gain is the top motivator, followed by proprietary information (46 percent), competitive advantage (40 percent), and revenge (14 percent).

When it comes down to the individual organization, however, the numbers aren’t so strong. Although 43 percent know they’ve been targeted by social engineering attacks, 41 percent were not aware if their organization had been attacked. Sixteen percent said they hadn’t been the target of social engineering. Worse, only a quarter (26 percent) conduct ongoing training to inhibit or prevent the success of such attacks, and a third (34 percent) don’t made any attempt to educate their employees.

There are cost savings to be realized in such training and education. “Survey participants estimated each security incident costing anywhere from $25,000 to over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage,” the company notes.

The company points out that the “prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute socially-engineered attacks.” Still, it boils down to the victims themselves -- the richest source of information comes from new employees (60 percent cited such employees are susceptible) and contractors (44 percent); both categories may be ignorant of or unfamiliar with corporate security policies. Other rich sources of information from social engineering exploits: executive assistants (38 percent). IT staff -- who presumably should know better -- were noted as being at high risk by 23 percent of respondents. That’s not a comforting number.

Conducted in July and August, the survey focused on workers in the U.S., Canada, UK, Germany, Australia, and New Zealand in organizations of all sizes and several industries (such as finance, defense, retail, health-care, and education).

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 09/27/2011