Social engineering attacks can cost businesses more than $100,000 per incident, emphasizing the importance of better security and user awareness
CALGARY, AB – September 22, 2011…Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, recently announced the results of a new report revealing 48 per cent of enterprises surveyed have been victims of social engineering, experiencing 25 or more attacks in the past two years, costing businesses anywhere from $25,000 to over $100,000 per security incident. The report, The Risk of Social Engineering on Information Security, shows phishing and social networking tools as the most common sources of socially-engineering threats – encouraging businesses to implement a strong combination of technology and user awareness to minimize the frequency and cost of attacks.
Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information. Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization. According to the global survey of over 850 IT and security professionals, 86 per cent of businesses recognize social engineering as a growing concern, with the majority of respondents (51 per cent) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge.
“The survey results show that nearly half of enterprises surveyed know they have experienced social engineering attacks. Knowing that many of these attacks go unnoticed, suggests that this is a very wide and dangerous attack vector that must not be ignored,” said Paul Comessotti, Check Point’s Canadian Regional Director.
While social engineering techniques rely on taking advantage of a person’s vulnerability, the prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute socially-engineered attacks.
New employees (60 per cent) and contractors (44 per cent) who may be less familiar with corporate security policies were considered to be the most susceptible to social engineering techniques, in addition to contractors, assistants, human resources and IT personnel.
“People are a critical part of the security process as they can be misled by criminals and make mistakes that lead to malware infections or unintentional data loss. Many organizations do not pay enough attention to the involvement of users, when, in fact, employees should be the first line of defense,” added Comessotti. “A good way to raise security awareness among users is to involve them in the security process and empower them to prevent and remediate security incidents in real time.”
To achieve the level of protection needed in modern day IT environments, security needs to grow from a collection of disparate technologies to an effective business process. Check Point 3D Security helps companies implement a blueprint for security that goes beyond technology and can educate employees by involving them in the process. “Just as employees can make mistakes and cause breaches or threats within the organization, they can also play a large role in mitigating risks,” added Comessotti. With Check Point’s unique UserCheck™ technology, businesses can alert and educate employees about corporate policies when accessing the corporate network, data and applications – helping companies minimize the frequency, risk and costs associated with social engineering techniques.
Key Findings from the Report:
• The Threat of Social Engineering is Real – 86 per cent of IT and security professional are aware or highly aware of the risks associated with social engineering. Approximately 48 per cent of enterprises surveyed admitted they have been victims of social engineering more than
25 times in the last two years.
• Social Engineering Attacks Are Costly – Survey participants estimated each security incident costing anywhere from $25,000 to over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage.
• Most Common Sources of Social Engineering – Phishing emails were ranked the most common source of social engineering techniques (47 per cent), followed by social networking sites that can expose personal and professional information (39 per cent) and insecure mobile devices (12 per cent).
• Financial Gains are the Primary Motivation of Social Engineering – Financial gain was cited as the most frequent reason for social engineered attacks, followed by access to proprietary information (46 per cent), competitive advantage (40 per cent) and revenge
(14 per cent).
• New Employees are Most Susceptible to Social Engineering Techniques – Survey participants believe new employees are at high risk to social engineering risks, followed by contractors (44 per cent), executive assistants (38 per cent), human resources (33 per cent), business leaders (32 per cent) and IT personnel (23 per cent). Regardless of an employee’s role within an organization, implementing proper training and user awareness is critical component of any security policy.
• Lack of Proactive Training to Prevent Social Engineering Attacks – 34 per cent of businesses do not have any employee training or security policies in place to prevent social engineering techniques, although 19 per cent have plans to.
The survey, The Risk of Social Engineering on Information Security, was conducted in July and August 2011, surveying over 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand. The survey sample represents organizations of all sizes and across multiple industries, including financial, industrial, defense, retail, healthcare and education. Interested in learning more about social engineering and want to add your input? Access the full report and take the online survey here: http://www.checkpoint.com/surveys/socialeng1509/socialeng.htm.
“Security is not just a problem for IT administrators; it must be part of every professional’s role. As the industry faces a rise in sophisticated and targeted threats, user involvement makes security technology smarter and more effective,” said Comessotti.