According to a report from Positive Technologies, hackers continue to target the weak link in any company’s security posture: Humans.
- 17% of social engineering attacks are successful, and could lead to the compromise of a company’s entire corporate infrastructure. — Positive Technologies, 2018
- 27% of employees clicked an emailed phishing link, making it the most effective method of social engineering. — Positive Technologies, 2018
Cyber-criminals are increasingly turning to social engineering to enter a corporate network, as they know that humans are the weak link in any company’s security plan, according to a Monday report from security firm Positive Technologies.
The firm studied its 10 largest pen testing projects performed for clients in 2016 and 2017. These tests included 3,332 emails sent to employees with links to websites, password entry forms, and attachments, mimicking the work of hackers.
If these emailed “attacks” had been real, 17% of the messages would have led to the compromise of an employee’s workstation, giving the hacker a foothold into the entire corporate infrastructure, the report found.
According to the report, phishing was the most effective form of social engineering attack: 27% of recipients clicked the phishing link, which led to a fake website.
“To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form,” Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in a press release. “Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password.”
Employees not only open unknown files and click suspicious links, they sometimes correspond with attackers, the report found. In 88% of cases of correspondence, the employees worked outside of the IT department. However, 3% of security professionals did so as well.
At times, employees complained that the malicious files or links would not open. In some cases, these employees tried to open the files or enter their password on the fake site 30-40 times, according to the report. Frustrated employees unable to open files sometimes forwarded them to the IT department for help—further increasing the risk to the organization, as IT staff are more likely to trust their colleagues and attempt to open the file.
Hackers have also learned that sending messages from fake companies is less effective than in the past, causing only 11% of risky actions from employees, the report found. However, sending messages from the fake account of a real company and person increases the odds of success to 33%.
These attackers also carefully select email subject lines to illicit a response from employees, including “list of employees to be fired” (which caused 38% of risky actions), and “annual bonuses” (which caused 25%).
The report highlights the need for companies to implement continuous employee security training. A number of companies run internal phishing attacks to identify weak links and strengthen their cyber security posture.
HSM IT Solutions’s Advise:
- Ensure all your workstations and servers have proper anti-virus software installed and configured
- Ensure all your workstations and servers are patched with the updates.
- Ensure staff do not click on any link from suspicious emails even from “trusted” sources, you can always forward email to your IT department if you are not sure
- Implement continuous employee security training, with 95% of security breaches caused by human error, educated users are the first line of defence.