Less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit by such attacks in the past two years at an average cost of £15,000 per incident, a survey has revealed.
Social engineering techniques typically circumvent corporate security by manipulating employees into divulging confidential information, using psychological tricks to gain trust.
Although 94% of security professionals and 80% of all IT professionals are aware or highly aware of the risks associated with social engineering, there is a lack of proactive training for employees.
Only 26% of companies polled by security firm Check Point offer regular training to prevent such attacks, and 44% do not have any employee training or security policies in place.
Phishing e-mails were ranked the most common form of social engineering threats (47%), followed by social networking sites that can expose personal and professional information (39%) and insecure mobile devices (12%).
Social engineering against information systems: What it is and how it works. Click here to download this report. (Requires registration)
The prevalence of social media and mobile computing has also made it easier for criminals to obtain information about individuals and execute social engineering attacks, said Terry Greer-King, UK managing director for Check Point.
"Employees are a critical part of the security process as they can be misled by criminals or make errors that lead to malware infections or unintentional data loss," he said.
New employees are the most susceptible to social engineering techniques, according to 52% of respondents, followed by contractors (44%).
"There is no obvious link between IT security and HR, which presents the opportunity for offering consultancy services in this area," said Greer-King.
At Check Point, new employees are not allocated e-mail accounts until they have passed a basic test of security awareness.
Regardless of an employee's role, implementing proper training and user awareness is critical to any security policy, said Greer-King.
This training can be augmented with technologies that raise flags when sending potentially sensitive information either internally or externally to remind employees that they need to take security seriously, he said.
"A good way to raise security awareness among users is to involve them in the security process and empower them to prevent security incidents," said Greer-King.
This is the guiding principle behind Check Point's 3D Security product that includes UserCheck technology that alerts and educates users about corporate policies.
Businesses can set alerts to be triggered whenever employees attempt to transmit documents containing sensitive information.
UserCheck scans content for identifiers such as employee, tax or customer numbers to provide protection immediately without the need to first classify all the data, said Greer-King.
After cost, this time-consuming process is a common reason for organisations dragging their heels in implementing data leakage prevention (DLP) systems, he said.
Sign-up to Computer Weekly for research on social engineering >>
Social engineering against information systems. What it is and how it works.