Check Point Survey Reveals 48% of Enterprises Have Suffered Multiple Social Engineering Attacks
September 2011 by Check Point
Check Point announced the results of a new survey revealing that 48% of enterprises have been victims of social engineering attacks, experiencing 25 or more such attacks in the past two years at a average cost of over £15,000 per incident.
The survey report, The Risk of Social Engineering on Information Security, shows the most common sources of social-engineering threats are phishing emails (47%) and social networking sites (39%). The survey found that new employees (52%) and contractors (44%) were cited as the most susceptible to social engineering techniques, emphasising that hackers target staff that they suspect are the weakest security links in organisations, using social networking applications to gather personal and professional information on employees to mount ‘spear phishing’ attacks.
According to the global survey of over 850 IT and security professionals, 86% of businesses recognise social engineering as a growing security concern. A majority of respondents (51%) cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The highest rate of attacks was reported by energy and utility organisations (61%) with non-profit organisations reported the lowest rate (24%), reinforcing gain as the key reason for attacks.
“Although the survey shows that nearly half of enterprises know they have experienced social engineering attacks, 41% said they were unsure whether they had been targeted or not. Because these types of attacks are intended to stay below an organisation’s security radar, the actual number of organisations that have been attacked could be much higher. Yet 44% of UK companies surveyed are not currently doing anything to educate their employees about the risks, which is higher than the global average,” said Terry Greer-King, UK managing director for Check Point.
Further findings from the survey report are:
The Threat of Social Engineering is Real – 86% of IT and security professionals (80% in the UK) are aware or highly aware of the risks associated with social engineering. Approximately 48% of enterprises globally (42% in the UK) surveyed admitted they have been victims of social engineering more than 25 times in the last two years.
Social Engineering Attacks Are Costly – Survey participants estimated each security incident costing anywhere between $25,000 and over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage. 36% of UK respondents cited an average incident cost of over $25,000 (£15,000).
Most Common Sources of Social Engineering – Phishing emails were ranked the most common source of social engineering threats (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).
New Employees are Most Susceptible to Social Engineering Techniques – Survey participants believe new employees are at high risk to social engineering risks, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). Regardless of an employee’s role within an organization, implementing proper training and user awareness is critical to any security policy.
Lack of Proactive Training to Prevent Social Engineering Attacks – 34% of businesses do not have any employee training or security policies in place to prevent social engineering techniques (44% in the UK)
Financial Gains are the Primary Motivation of Social Engineering - Financial gain was cited as the most frequent reason for social engineered attacks, followed by access to proprietary information (46%), competitive advantage (40%) and revenge (14%).
While social engineering techniques rely on taking advantage of a person’s vulnerability, the prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute social engineering attacks.
Greer-King added: “An organisation’s employees are a critical part of the security process as they can be misled by criminals, or make errors that lead to malware infections or unintentional data loss. Many organisations do not pay enough attention to the involvement of users, when, in fact, employees should be the first line of defence. A good way to raise security awareness among users is to involve them in the security process and empower them to prevent and remediate security incidents in real time.”
To achieve the level of protection needed in modern day IT environments, security needs to grow from a collection of disparate technologies to an effective business process. Check Point 3D Security helps companies implement a blueprint for security that goes beyond technology and can educate employees by involving them in the process. With Check Point’s unique UserCheck technology, businesses can alert and educate employees about corporate policies when accessing the corporate network, data and applications – helping companies minimize the frequency, risk and costs associated with social engineering techniques.
The survey, The Risk of Social Engineering on Information Security, was conducted in July and August 2011, surveying over 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand, with 85 UK respondents. The survey sample represents organizations of all sizes and across multiple industries, including financial, industrial, defense, retail, healthcare and education.