Onderwerpen  |   Branches  |   Afdelingen  |   Bedrijven  |   Aanleveren  |   FAQ  |   Nieuwsbrief  |   Contact

Social Engineering

The risk of Social Engineering on information security: a survey of IT professionals

Download Social Engineering

Volledig volgens het Paard van Troje-principe richt de hacker vandaag zijn pijlen op de zwakste schakel als het gaat om informatiebeveiliging: de werknemer. Door zijn/haar vertrouwen te winnen, kan die immers zijn aanval op computersystemen lanceren. En het werkt! Uit marktonderzoek van Check Point blijkt immers dat social engineering een reële bedreiging vormt voor het bedrijfsleven. Sterker nog, het is moeilijk te beheren en kost bedrijven heel wat geld! IT professionals wereldwijd bevestigen een verlies van 30.000 tot 80.000 euro ten gevolge van een social engineering incident. Alle onderzoeksresultaten vind u in dit rapport.

THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS Dimensional Research | September 2011 Introduction The threat of technology-based security attacks is well understood, and IT organizations have tools and processes in place to manage this risk to sensitive corporate data. However, social engineering attacks are more challenging to manage since they depend on human behavior and involve taking advantage of vulnerable employees. Businesses today must utilize a combination of technology solutions and user awareness to help protect corporate information. The following report, sponsored by Check Point, is based on a global survey of 853 IT professionals conducted in the United States, United Kingdom, Canada, Australia, New Zealand, and Germany during July and August 2011. The goal of the survey was to gather data about the perceptions of social engineering attacks and their impact on businesses. Key Findings · The threat of social engineering is real - 97% of security professionals and 86% of all IT professionals are aware or highly aware of this potential security threat - 43% know they have been targeted by social engineering schemes - Only16%wereconfidenttheyhadnotbeentargetedbysocialengineering,while41%werenotawareifthey had been attacked or not · Financial gains are the primary motivation of social engineering - 51%ofsocialengineeringattacksaremotivatedbyfinancialgain - 14% of social engineering attacks are motivated by revenge · Social engineering attacks are costly especially in large organizations - 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years - 48% of all participants cite an average per incident cost of over $25,000 - 30% of large companies cite a per incident cost of over $100,000 · New employees are most susceptible to social engineering techniques - New employees (60%), contractors (44%), and executive assistants (38%) are cited to be at high risk for social engineering techniques. · Lack of proactive training to prevent social engineering attacks - Only 26% of respondents do ongoing training - 34% do not currently make any attempt to educate employees, although 19% have plans to Sponsored by www.dimensionalresearch.com © 2011 Dimensional Research. All Rights Reserved. THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS Dimensional Research | September 2011 Detailed Findings Awareness of social engineering high among IT professionals Participants were asked to rate their level of awareness of the potential security threat of social engineering attacks. In general, IT professionals reported a high degree of awareness (86%) -- 39% described themselves as aware and 47% highly aware. And among security professionals whose entire job was to secure their organizations systems, awareness was even higher (97%) -- 35% were aware and 62% highly aware. See Figure A. Figure A: Awareness of social engineering threats Highly aware Aware Somewhat aware Never heard of it 12% 3% 2% 0% 0% 10% 20% 30% 40% 50% 60% 70% 39% 35% 47% 62% All IT Professionals Security Professionals Many businesses have already faced social engineering attacks Participants were asked if their organizations have been targeted by social engineering attacks. While 43% of participantsindicatedthattheyhad,only16%hadconfidencethattheyhadnotbeentargeted.Alargenumberof participants(41%)werenotawareofanyattacks,butcouldnotsaydefinitivelythattherehadnotbeenanattempt. This response implies a potential risk that businesses and IT teams are not dealing with. See Figure B. Figure B: Social engineering a0ack experiences What is Social Engineering? Participants were given this definition of social engineering before answering the survey questions: Not that I am aware of 41% Yes 43% Never 16% Social Engineering is the act of breaking corporate security by manipulating employees into divulging confidential information. It uses psychological tricks to gain trust, rather than technical cracking techniques. Social Engineering includes scams such as obtaining a password by pretending to be an employee, leveraging social media to identify new employees more easily tricked into providing customer information, and any other attempt to breach security by gaining trust. Page 2 www.dimensionalresearch.com © 2011 Dimensional Research. All Rights Reserved. THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS Dimensional Research | September 2011 The highest rate of social engineering attacks (61%) was reported by participants who work in energy and utilities. Nonprofitsexperiencedthelowestlevelofsocialengineeringattacks(24%). Social engineering attacks motivated primarily by financial gain The participants who indicated that they had been victims of social engineering attacks were asked what they believed the motivations were behind those attacks. Financial gain was cited as the most frequent reason (51%), followed by access to proprietary information (46%), and competitive advantage (40%). Fortunately, revenge was the least likely reason for a social engineering attack with only 14% reporting this as a motivator. See Figure C. Figure C: Mo,va,ons for social engineering a4acks Financial gain Access to proprietary informa