According to the report – 'The Risk of Social Engineering on Information Security' – and which took in responses from more than 850 IT and security professionals located in the US, Canada, the UK, Germany, Australia and New Zealand, the typical cost of an attack was more than £15,000.
Delving into the Check Point research shows that new employees (52%) and contractors (44%) being cited as the most likely targets, and 44% of UK firms admitting they have no employee training or policies against attacks – compared with 34% globally.
Researchers also found the most common sources of social-engineering threats are phishing emails (47%) and social networking sites (39%), with the study showing that hackers target staff that they suspect are the weakest security links in many organisations, using social networking applications to gather personal and professional information on employees to mount ‘spear phishing’ attacks.
The majority of respondents (51%) cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The highest rate of attacks was reported by energy and utility organisations (61%) with non-profit organisations reported the lowest rate (24%), reinforcing gain as the key reason for attacks.
Commenting on the research, Terry Greer-King, Check Point's UK managing director, said that, although the survey shows that nearly half of enterprises know they have experienced social engineering attacks, 41% said they were unsure whether they had been targeted or not.
“Because these types of attacks are intended to stay below an organisation’s security radar, the actual number of organisations that have been attacked could be much higher. Yet 44% of UK companies surveyed are not currently doing anything to educate their employees about the risks, which is higher than the global average,” he said.
The good news from the research is that, whilst the threat of social engineering attacks is real, 86% of IT and security professionals (80% in the UK) said they are aware or highly aware of the risks associated with social engineering.
Approximately 48% of enterprises globally (42% in the UK) surveyed, meanwhile, admitted they have been victims of social engineering more than 25 times in the last two years.
Researchers also found that social engineering attacks are costly – survey participants estimated each security incident costing anywhere between $25,000 and over $100,000, including costs associated with business disruptions, customer outlays, revenue loss and brand damage. Thirty-six percent of UK respondents, meanwhile, cited an average incident cost of over $25,000 (£15,000).
The most common sources of social engineering were found to be phishing emails (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).
Greer-King says that an organisation’s employees are a critical part of the security process as they can be misled by criminals, or make errors that lead to malware infections or unintentional data loss.
“Many organisations do not pay enough attention to the involvement of users, when, in fact, employees should be the first line of defence. A good way to raise security awareness among users is to involve them in the security process and empower them to prevent and remediate security incidents in real time,” he explained.