IT needs to become more aware of the dangers posed by social engineering, warns Check Point’s Terry Greer-King
A new survey from security specialist Check Point has revealed that 42 percent of UK enterprises have been victims of social engineering attacks.
Indeed, such is the prevalence of this form of attack, that UK businesses said they had experienced 25 or more such attacks in the past two years, at an average cost of over £15,000 per incident.
And internationally, the figure is even worse, with 48 percent of businesses registering social engineering attacks.
Speaking to eWEEK Europe, Check Point’s UK managing director Terry Greer-King said the survey had found that the most common sources of social-engineering threats are phishing emails (47 percent) and social networking sites (39 percent).
New employees (52 percent) and contractors (44 percent) were cited as the most susceptible to social engineering techniques.
Greer-King said that this emphasises that hackers target staff that they suspect are the weakest security links in organisations, using social networking applications to gather personal and professional information on employees to mount ‘spear phishing’ attacks.
“The security risks nowadays are not just the traditional hard security risks,” said Greer-King. “Social engineering attacks are now targeting the weak people within the organisation, and this is a problem that is not high enough on corporate security agendas as we would like it to be.”
The People Element
“In the UK, we opted to implement Gatsos to control speeding,” said Greer-King. “But in reality it was impractical to install a camera on every road. So instead they were installed outside schools or on dangerous roads, to try and influence people’s behaviour.”
“The same applies with security. It is all very well to install all the usual security tools, but we have to bear in mind that people are a part of the solution. It is not just all about infrastructure,” Greer-King told eWEEK Europe.
As an example Greer-King explained that a Check Point solution specifically checks on the user behaviour, defined according to the criteria set by the organisation itself. “If a user opts to send out a document for example, and that document contains sensitive material, a pop-up message will appear asking the user if they are sure they want to do this,” said Greer King. “The user has to press yes then to send the document out. Most leaks after all happen accidentally, not on purpose.”
New Staff Risk
So what steps can the organisation take to safeguard itself from the risky behaviour of its staff? And why are new staff such a security risk?
“One of the questions an organisation has to ask is whether its induction process for the new employee includes an appropriately deep security briefing,” said Greer-King. “Our survey found that 52 percent regard new employees as the most vulnerable to social engineering, followed by outside contractors.”
“New staffers are typically not used to the security regime employed by the company,” said Greer-King. “For example we at Check Point have five levels of data classifications for documents. But does the new employee know those five levels of classification? I believe not all organisations can say that their new staff know this level of detail.”
“With contractors they often have their own devices, such as laptops and smartphones. These devices can sometimes not be compliant for the organisation’s internal infrastructure,” said Greer-King.
But could it also be that contractors simply don’t care the same way an employee would, about introducing a potential security risk to the organisation?
“Well let us always think the best of people, but yes it could be argued that contractors may not care in the same way an employee would,” admitted Greer-King. “After all, staffers nowadays are under a great deal of pressure to keep their jobs.”
Check Point’s survey highlighted the fact that phishing emails are the leading social engineering threat facing organisations currently. So are these typically from banks?
“Finance does tend to be the biggest thing at the moment,” said Greer-King. “Financial phishing emails is what I see most at the moment, asking for a user’s login details etc. If I received a phishing email from Barclays and I did not bank with them, it is relatively easy to dismiss. But if I did bank with them, I could be fooled into thinking the email really did come from them.”
Greer-King said phishing emails usually seek passwords but also personal data. They can also contain malicious code in the email, so that once a user accesses the email, a botnet is now installed on your device that broadcasts from the company’s network. It could look for system passwords, contain a keylogger, and often these botnets can be embedded for a year or two before they are detected.
Continued on page 2