• United States



by Senior Editor

Social engineering attacks costly for business

Sep 21, 20112 mins
CybercrimeData and Information SecurityFacebook

New research from Check Point Software finds social engineering is now a common attack strategy and organizations are getting hit frequently by hackers

Social engineering attacks are widespread, frequent and cost organizations thousands of dollars annually according to new research from security firm Check Point Software Technologies.

A survey of 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand found almost half, 48 percent, had been victims of social engineering and had experienced 25 or more attacks in the past two years. Social engineering attacks cost victims an average of $25,000 – $100,000 per security incident, the report states.

For even more depth, read CSO’s Ultimate Guide to Social Engineering [13-page PDF – free CSO Insider registration required]

“Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information,” according to a statement from Check Point on the survey. “Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization.”

Among those surveyed, 86 percent recognize social engineering as a growing concern, with the majority of respondents, 51 percent, citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge.

The most common attack vectors for social engineering attacks were phishing emails, which accounted for 47 percent of incidents, followed by social networking sites at 39 percent.

[Also see 9 dirty tricks: Social engineer’s favorite pick-up lines]

New employees are the most susceptible to social engineering, according to the report, followed by contractors (44 percent), executive assistants (38 percent), human resources (33 percent), business leaders (32 percent) and IT personnel (23 percent). However, almost a third of organizations said they do not have a social engineering prevention and awareness program in place. Among those polled, 34 percent do not have any employee training or security policies in place to prevent social engineering techniques, although 19 percent have plans to implement one, according to Check Point.