THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY:



Similar documents
THE GENERATION GAP IN COMPUTER SECURITY:

The Attacker s Target: The Small Business

Research Note The Art of Social Engineering

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

The Impact of Cybercrime on Business

Data Security in Development & Testing

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Security Practices for Online Collaboration and Social Media

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

2012 Bit9 Cyber Security Research Report

Exposing the Cybersecurity Cracks: A Global Perspective

I ve been breached! Now what?

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Aftermath of a Data Breach Study

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

The economics of IT risk and reputation

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013

Commissioned Study. SURVEY: Web Threats Expose Businesses to Data Loss

CHECK POINT SOFTWARE TECHNOLOGIES REPORTS 2013 FIRST QUARTER FINANCIAL RESULTS

Understanding Security Complexity in 21 st Century IT Environments:

Exposing the Cybersecurity Cracks: A Global Perspective

How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.

2012 Cost of Cyber Crime Study: United States

Spyware: Securing gateway and endpoint against data theft

PCI Compliance: How to ensure customer cardholder data is handled with care

A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Oakland Family Services - Was Your Hacked?

Managing IT Security with Penetration Testing

Trust the Innovator to Simplify Cloud Security

Streamlining Web and Security

How To Understand Cyber Security

NATIONAL CYBER SECURITY AWARENESS MONTH

Cisco Security Optimization Service

IBM Security X-Force Threat Intelligence

Internet threats: steps to security for your small business

PCI Data Security Standards (DSS)

How To Buy Nitro Security

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

2012 Cost of Cyber Crime Study: Germany

Information Security Summit 2005

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Security Effectiveness Framework Study

Check Point Partner Marketing Campaign Plan

State of SMB Cyber Security Readiness: UK Study

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

BAE Systems Cyber Security Survey Report

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

Table of Contents. Page 2/13

Advanced Threat Protection with Dell SecureWorks Security Services

Data Center security trends

Zone Labs Integrity Smarter Enterprise Security

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

SIZE DOESN T MATTER IN CYBERSECURITY

Key IT Anti-Fraud Challenges for Banking & Financial Institutions in Latin America

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

McAfee Total Protection Reduce the Complexity of Managing Security

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

MANAGING APPLE DEVICES IN THE ENTERPRISE

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Marketing and Data Security

What s Holding Back the Cloud?

white paper Malware Security and the Bottom Line

Securing Endpoints without a Security Expert

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

NEW ZEALAND S CYBER SECURITY STRATEGY

Italy. EY s Global Information Security Survey 2013

The Evolution of IPS. Intrusion Prevention (Protection) Systems aren't what they used to be

Promoting Network Security (A Service Provider Perspective)

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Efficacy of Emerging Network Security Technologies

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Evolution from FTP to Secure File Transfer

How To Protect Your Organization From Insider Threats

Privilege Gone Wild: The State of Privileged Account Management in 2015

AUTHOR CONTACT DETAILS

Cybersecurity. Are you prepared?

Business Identity Fraud Prevention Checklist

DeltaV System Cyber-Security

Information Security Incident Management Guidelines

Brainloop Cloud Security

Advanced Threats in Retail Companies: A Study of North America & EMEA

State of the Phish 2015

Are Consumers Getting the Message? The Impact of Privacy Education and Awareness--A Study of Consumer Behavior. August, 2014.

Neutralizing Spyware in the Enterprise Environment

Global Network and Application Security Testing Market An Overview of Emerging Trends and Growth Opportunities For Test Solution Vendors

Network Security in Building Networks

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

Information Security Services

Data Backup for Small and Medium Businesses: Priorities, Current Practices, and Risks

Guide to Preventing Social Engineering Fraud

THE HUMAN COMPONENT OF CYBER SECURITY

Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined?

Transcription:

Introduction The threat of technology-based security attacks is well understood, and IT organizations have tools and processes in place to manage this risk to sensitive corporate data. However, social engineering attacks are more challenging to manage since they depend on human behavior and involve taking advantage of vulnerable employees. Businesses today must utilize a combination of technology solutions and user awareness to help protect corporate information. The following report, sponsored by Check Point, is based on a global survey of 853 IT professionals conducted in the United States, United Kingdom, Canada, Australia, New Zealand, and Germany during July and August 2011. The goal of the survey was to gather data about the perceptions of social engineering attacks and their impact on businesses. Key Findings The threat of social engineering is real 97% of security professionals and 86% of all IT professionals are aware or highly aware of this potential security threat 43% know they have been targeted by social engineering schemes Only 16% were confident they had not been targeted by social engineering, while 41% were not aware if they had been attacked or not Financial gains are the primary motivation of social engineering 51% of social engineering attacks are motivated by financial gain 14% of social engineering attacks are motivated by revenge Social engineering attacks are costly especially in large organizations 48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years 48% of all participants cite an average per incident cost of over $25,000 30% of large companies cite a per incident cost of over $100,000 New employees are most susceptible to social engineering techniques New employees (60%), contractors (44%), and executive assistants (38%) are cited to be at high risk for social engineering techniques. Lack of proactive training to prevent social engineering attacks Only 26% of respondents do ongoing training 34% do not currently make any attempt to educate employees, although 19% have plans to Sponsored by

Detailed Findings Awareness of social engineering high among IT professionals Participants were asked to rate their level of awareness of the potential security threat of social engineering attacks. In general, IT professionals reported a high degree of awareness (86%) 39% described themselves as aware and 47% highly aware. And among security professionals whose entire job was to secure their organizations systems, awareness was even higher (97%) 35% were aware and 62% highly aware. See Figure A. Figure A: Awareness of social engineering threats Highly aware 47% 62% Aware Somewhat aware 3% 39% 35% All IT Professionals Security Professionals Never heard of it 2% 0% 0% 10% 20% 30% 40% 50% 60% 70% Many businesses have already faced social engineering attacks Participants were asked if their organizations have been targeted by social engineering attacks. While 43% of participants indicated that they had, only 16% had confidence that they had not been targeted. A large number of participants (41%) were not aware of any attacks, but could not say definitively that there had not been an attempt. This response implies a potential risk that businesses and IT teams are not dealing with. See Figure B. Figure B: Social engineering a0ack experiences Not that I am aware of 41% Never 16% Yes 43% What is Social Engineering? Participants were given this definition of social engineering before answering the survey questions: Social Engineering is the act of breaking corporate security by manipulating employees into divulging confidential information. It uses psychological tricks to gain trust, rather than technical cracking techniques. Social Engineering includes scams such as obtaining a password by pretending to be an employee, leveraging social media to identify new employees more easily tricked into providing customer information, and any other attempt to breach security by gaining trust. Page 2

The highest rate of social engineering attacks (61%) was reported by participants who work in energy and utilities. Nonprofits experienced the lowest level of social engineering attacks (24%). Social engineering attacks motivated primarily by financial gain The participants who indicated that they had been victims of social engineering attacks were asked what they believed the motivations were behind those attacks. Financial gain was cited as the most frequent reason (51%), followed by access to proprietary information (46%), and competitive advantage (40%). Fortunately, revenge was the least likely reason for a social engineering attack with only 14% reporting this as a motivator. See Figure C. Figure C: Mo,va,ons for social engineering a4acks Financial gain Access to proprietary informa<on 46% 51% Compe<<ve advantage 40% Revenge or personal vende9a 14% Other 4% 0% 10% 20% 30% 40% 50% 60% Motivations for social engineering attacks varied slightly in different countries. Australians (61%) and Americans (52%) were the most likely to cite financial gain as a motivation. Germans reported more revenge-motivated attacks (18%), while Canadians were more likely to experience attacks motivated by competitive advantage (54%). Social engineering attacks happen frequently Participants who had been targeted by social engineering attacks and also tracked these incidences were asked about their frequency (N=322). Social engineering attacks were a frequent occurrence with 32% of all participants reporting 25 or more attacks during the past two years. Unsurprisingly, larger organizations were attacked even more frequently with 48% of participants reporting 25 or more attacks in the past two years. See Figure D. Figure D: Frequency of social engineering a3acks More than 50 1mes 33% 25-50 5-24 20% 15% 36% 32% All companies More than 5,000 employees Less than 5 1mes 20% 32% 0% 5% 10% 15% 20% 25% 30% 35% 40% Page 3

Social engineering attacks are costly Participants who had been targeted by social engineering attacks and tracked these incidences were also asked about the typical cost of each incident (N=322). Costs included business disruptions, customer outlays, revenue loss, labor, and other overhead. These attacks were frequently costly with almost half of participants (48%) reporting a per-incident cost of more than $25,000. Again, larger organizations reported even higher costs with 30% reporting a per-incident cost of more than $100,000. See Figure E. Figure E: Typical cost per social engineering incident More than $100,000 $50,000 - $100,000 $25,000 - $50,000 $10,000 - $25,000 Less than $10,000 19% 13% 13% 16% 13% 14% 30% 32% 38% All companies More than 5,000 employees 0% 5% 10% 15% 20% 25% 30% 35% 40% Across industries, financial services and manufacturing reported the highest average per-incident cost, and educational institutions and non-profits reported the lowest costs. New employees present greatest risk for social engineering attacks All participants were asked what type of personnel was the most likely to be susceptible to social engineering techniques. New employees were considered the highest risk (60%), followed by contractors (44%) who may be less familiar with corporate security policies, and executive assistants (38%) who have access to executive calendars and confidential information. See Figure F. Figure F: Risk of falling for social engineering techniques 70% 60% 50% 40% 30% 20% 10% 0% 60% 34% 6% 46% 44% 38% 53% New employees Contractors Execu?ve assistants 56% 56% 55% 33% 32% 11% 9% 11% Human resources Business leaders 23% IT personnel 22% High risk Low risk No risk Page 4

Few companies proactively train on risk of social engineering All participants were asked what their organization was doing to prevent social engineering attacks. Only 26% of participants actively train employees on the threat. An additional 34% do not have any initiatives in place now, although some of those (19%) do have plans to start a program to educate employees. The largest segment of participants, 40%, put the responsibility on the employee to read and understand their organization s overall security policy documents to prevent data loss, security attacks, and social engineering-based threats. See Figure G. Figure G: Approach to employee awarenss of social engineering We acavely do ongoing training with employees 26% Our security policy includes direcaons on prevenang social engineering 40% Not currently, but we have plans to 19% No, not at the moment 15% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Phishing emails most common source of social engineering Participants were asked their opinion on the most common source of social engineering threats. Phishing pretending to be a trustworthy entity in an electronic communication was identified as the most typical source (47%), followed by social networking sites such as LinkedIn that allow new employees to be targeted (39%). See Figure H. Figure H: Most common source of social engineering threats Insecure mobile devices Other 2% Phishing emails 47% Social networking sites 39% Page 5

Sophisticated technology-based security threats continue Organizations across all sizes and industries have experienced a variety of both technologically sophisticated and social engineering attacks, indicating a clear need to manage both technological and social engineering attacks. Participants reported that they were most likely to experience trojans (56%), followed by phishing techniques, botnets, and drive-by downloads. See Figure J. Figure J: Occurrence of technologically sophis6cated and social engineering security threats Trojans 56% Phishing 48% Targeted threats 26% Botnets 22% Drive- by downloads 16% Other 1% 0% 10% 20% 30% 40% 50% 60% Survey Methodology In July 2011, an independent database of IT professionals was invited to participate in a Web survey on the topic of social engineering and information security sponsored by Check Point. A total of 853 respondents across the U.S., UK, Canada, Australia, New Zealand, and Germany completed the survey, all of whom had responsibility for securing company systems. Participants included IT executives, IT managers, and hands-on IT professionals and represented a wide range of company size and industry verticals. Par$cipant Job Func$on Responsibility for IT Security Company Size Front- line IT professional 29% IT execu(ve 30% More than 15,000 14% Less than 100 7% IT security is a part of my job 69% IT security is my en.re job 31% 5,000 15,000 15% 100-1,000 35% IT manager 41% 1,000 5,000 29% Page 6

About Dimensional Research Dimensional Research provides practical marketing research to help technology companies make their customers more successful. Our researchers are experts in the people, processes, and technology of corporate IT and understand how IT organizations operate. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and grows the business. For more information visit. About Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. (www.checkpoint.com), the worldwide leader in securing the Internet, provides customers with uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology. Today, Check Point continues to develop new innovations based on the Software Blade Architecture, providing customers with flexible and simple solutions that can be fully customized to meet the exact security needs of any organization. Check Point is the only vendor to go beyond technology and define security as a business process. Check Point 3D Security uniquely combines policy, people and enforcement for greater protection of information assets and helps organizations implement a blueprint for security that aligns with business needs. Customers include tens of thousands of organizations of all sizes, including all Fortune and Global 100 companies. Check Point s award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft. Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information