48% of enterprises have been victims of social engineering attacks, experiencing 25 or more such attacks in the past two years at a average cost of over £15,000 per incident, according to Check Point.
The survey report shows the most common sources of social-engineering threats are phishing emails (47%) and social networking sites (39%). The survey found that new employees (52%) and contractors (44%) were cited as the most susceptible to social engineering techniques, emphasizing that hackers target staff that they suspect are the weakest security links in organizations, using social networking applications to gather personal and professional information on employees to mount spear phishing attacks.
According to the global survey of over 850 IT and security professionals, 86% of businesses recognize social engineering as a growing security concern. 51% of respondents cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The highest rate of attacks was reported by energy and utility organizations (61%) with non-profit organizations reported the lowest rate (24%), reinforcing gain as the key reason for attacks.
“Although the survey shows that nearly half of enterprises know they have experienced social engineering attacks, 41% said they were unsure whether they had been targeted or not. Because these types of attacks are intended to stay below an organization’s security radar, the actual number of organizations that have been attacked could be much higher. Yet 44% of UK companies surveyed are not currently doing anything to educate their employees about the risks, which is higher than the global average,” said Terry Greer-King, UK managing director for Check Point.
Further findings from the survey report are:
- 86% of IT and security professionals (80% in the UK) are aware or highly aware of the risks associated with social engineering. Approximately 48% of enterprises globally (42% in the UK) surveyed admitted they have been victims of social engineering more than 25 times in the last two years.
- Survey participants estimated each security incident costing anywhere between $25,000 and over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage. 36% of UK respondents cited an average incident cost of over $25,000 (£15,000).
- Phishing emails were ranked the most common source of social engineering threats (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).
- Survey participants believe new employees are at high risk to social engineering risks, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). Regardless of an employee’s role within an organization, implementing proper training and user awareness is critical to any security policy.
- 34% of businesses do not have any employee training or security policies in place to prevent social engineering techniques (44% in the UK).
- Financial gain was cited as the most frequent reason for social engineered attacks, followed by access to proprietary information (46%), competitive advantage (40%) and revenge (14%).
While social engineering techniques rely on taking advantage of a person’s vulnerability, the prevalence of Web 2.0 and mobile computing has also made it easier to obtain information about individuals and has created new entry points to execute social engineering attacks.