Despite all the progress organisations may make in security, users remain the weakest link, and there’s no patch for stupidity, dishonesty or vindictiveness.
A recent survey report, The Risk of Social Engineering on Information Security (.pdf), painted a worrying picture of global office workers, who are apparently more than happy to hand over sensitive information to people who send them emails or who befriend them on social networking sites.
The survey, commissioned by Check Point Software Technologies, found 42% of UK enterprises (the global figure was 48%), have experienced more than 25 social engineering attacks in the last two years. More than a third of the UK respondents who admitted to being victims said the average cost per incident was more than £15,000.
It turns out new employees and contractors are the most vulnerable to the attacks, which can include phishing emails and approaches via social networking sites. Once the attackers gain information about employees, they can then mount targeted spear phishing attacks to get to the more valuable data. Financial gain was cited as the most common motive, followed by access to private information (46%), competitive advantage (40%) and revenge (14%).
There is a
huge gap between
enterprise adoption and protection.
Given the state of the economy -- with thousands losing job security, pension rights and other benefits -- the only surprise is the revenge figure is not higher. Give it time.
Anyway, this sorry state of affairs was mirrored by another survey, this time sponsored by Websense and carried out by the Ponemon Institute.
This survey too found companies were torn between a desire to adopt social networking wholeheartedly to improve marketing and customer communications, and a paranoid fear that their employees were spending all day on Twitter and Facebook, while also leaking confidential information.
“There is a huge gap between social media enterprise adoption and protection,” said Ponemon in the report. “But social media has emerged as an integral part of what people do, so organisations are being careful not to upset their best employees and drive away younger talented individuals to competitors.”
Which sums up the problem: Companies know the the risks exist, but few organisations feel able or even willing to grasp the nettle and do something about it.
One depressing statistic from the Check Point report was 44% of UK organisations offered no training or guidance to employees regarding social networking security risks. Sure, it is possible to apply one of the many new technology tools to control what employees can or cannot do on social networking sites. But they cost money you probably don’t have at the moment.
On the other hand, social networking user training and awareness programmes cost less and can be more effective than technology. It’s a new twist on an old message -- training users to think and act securely is hard, yet it does make a difference -- but it’s a message so many organisations still choose to ignore.
Ron Condon is UK bureau chief for SearchSecurity.co.UK. Send comments on this column to [email protected].