We recently conducted a survey looking at the growing issue of social engineering, taking in the opinions of over 850 IT and security professionals worldwide. In it, we found that 42% of UK enterprises have been victims of social engineering attacks.
What’s more, UK businesses said they had experienced 25 or more such attacks in the past two years, at an average cost of over £15,000 per incident. Internationally, the figure is even worse, with 48% of businesses registering social engineering attacks.
The most common attack vectors were phishing emails (47%) and social networking sites (39%), with new employees (52%) and contractors (44%) being cited as the most susceptible to social engineering techniques.
I believe this highlights two key issues. Firstly, attackers have switched targets. Instead of trying to hack directly into systems, they’re now hacking people in order to gain access to corporate resources. And inevitably, hackers are targeting the members of staff that they suspect are the weakest security links in organisations. They’re using social networking applications to gather personal and professional information on employees to mount focused, ‘spear phishing’ attacks with the aim of getting the employee to click a plausible-looking link or download a file containing the trojan or malware that will give them access to resources.
So what’s the solution? Organisations can’t ban email, and although some try and bar access to social networking sites like LinkedIn, certain functions such as sales, marketing or recruitment need access – which means a ban isn’t practical.
The survey data did point towards a key issue that could offer a solution, however: 34% of global respondents, and 44% of UK respondents, said they did not have any employee training or security policies in place to prevent social engineering techniques.
If organisations aren’t making employees aware of the issue, much less introducing it into their security policies, it’s no surprise that so many firms have been successfully targeted by social engineering techniques.
By involving users in the security process, and ensuring they are aware of risks such as spear-phishing attacks, they can become the first line of defence against social engineering threats. A combination of ongoing education and reminders of corporate policies on these types of threats – especially at the point where users are about to access social networking sites – could well diminish mitigate the social engineering risk to organisations.
Access the full survey report here: http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf
By Terry Greer-King, Managing Director, UK, Check Point