Social Engineering: Employees a Huge Risk

A huge reason why targeted attacks are successful is employees who consistently fall for social engineering tactics, a new survey found.

Phishing attacks see action to fool users into following malicious links hosting malware components, and to avoid this quite a few companies offer training courses to teach employees how to spot deceitful messages that could allow an attacker a route to sensitive digital assets.

However, according to a study commissioned by Intel Security, 38 percent of the participants believe clicking on unknown links or opening emails from unknown sources is one of the reasons an attacker was able to gain access to the company’s network. The survey consisted of 700 respondents at businesses in Asia, North America, EMEA region and South America.

Social engineering is a powerful weapon, especially when combined with advanced pieces of malware.

In one case, security researchers at Kaspersky reported a phishing operation that lured recipients into launching a maliciously crafted Word document by delivering a very credible-looking email claiming to be from the IRS in relation to a tax return approval.

Intel’s study also found security professionals’ efforts to defend the digital perimeter end up more difficult because attackers use persistent malware along with multiple attack vectors, exploits and payloads.

Also, the channels for malware distribution increase as employees have access to social networking and personal services such as Dropbox and Evernote. Compromised accounts often end up used to deliver malicious messages to other friends on the list.

BYOD policies, which allow use of devices running different operating systems, make it harder to set up defenses for endpoint systems, 24 percent of the respondents said.

The survey showed at the top of the list of the most time-consuming tasks faced by the security unit of a company is determining the damage caused by an attack, accounting for 47 percent of the answers; this involves pinpointing the changes made on an affected system and the resulting consequences as well as the number of computers that were impacted in the process.

As per the results of the study, the respondents said in 2014 an average of 78 security investigations ended up carried out by their organizations. Out of these, 28 percent focused on targeted attacks.

Contributing to the success of the attacks is the idea security professionals are not knowledgeable enough as far as cybercriminals tactics go.

When asked how familiar they are with malware obfuscation techniques, less than half of the respondents (45 percent) said they were up to date, while 48 percent said there was plenty of room for improvement.

Click here to download the report.