United States

Social engineering attacks: Risks to the middle market

RSM US MMBI Cybersecurity Special Report 2018


While many cyberattacks are the result of high-tech hacking attempts, some threats are much simpler, but just as dangerous. Social engineering or employee manipulation attacks are designed to trick employees into granting access to systems or divulging information that can help attackers access sensitive company or customer data.

Social engineering attacks can come in many forms. For example, an attack can be initiated via telephone, with an attacker posing as a member of the organization, a customer or a vendor and attempting to gain computer or security credentials. Criminals can also mine employee social media profiles for information that can compromise IT security or trick employees into granting access to systems or providing key information through sophisticated email campaigns.

Social engineering is a particularly harmful threat to middle market companies because it can attack all three layers of defense: personnel, physical and cyber. The most common social engineering strategy involves phishing, which is a combination of personnel and cyberattacks. In some cases, a social engineering attack can be as simple as someone walking into a business and attempting to breach security protocols. Attackers may leave a USB drive that can infect a computer, or again, pose as a customer or IT vendor with the goal of stealing data.

With the relatively low technical experience necessary to launch a social engineering attack, threats have become widespread in the middle market. RSM US Middle Market Business Index research found that 43 percent of executives indicated that outside parties attempted to manipulate their employees into providing access to, or altering, systems, data or business processes by pretending to be trusted third parties or high-ranking company executives.

“The first line of defense in many instances is people. Awareness and cultural changes can go a long way in reducing the likelihood of a ransomware attack,” said Ken Stasiak, RSM principal. “The implementation of specific technical controls in conjunction with awareness, should be a focus for organizations. Don’t rely on one control or technique, since most attacks evolve very quickly.”

Executives expect the social engineering threat to continue over the next year. RSM research found that 55 percent of middle market executives say their business is likely at risk to an attempt to manipulate employees in the next 12 months.

Luckily, most attacks are not successful, but just one breach can cause significant damage. Of companies reporting attempts by outside parties to manipulate systems, survey data showed that 86 percent were ultimately not successful.

With employee manipulation and social engineering presenting such varied and diverse attack methods, middle market companies are employing several strategies to address the threat. The reason cited most frequently (91 percent) in RSM’s survey for why attacks were unsuccessful was that employees did not act on the fraudulent request. In addition, 63 percent of middle market executives said that secondary controls prevented completion of an attack and 40 percent pointed to systems controls that prevented fraudulent communications or materials from reaching employees.

While middle market companies must be prepared for high-tech hacking strategies, they also must be aware  of employee manipulation and social engineering attacks that often take the form of low-tech or even no-tech efforts.

Download the full report»

How can we help you?

Learn more about our security, privacy and risk services.  Or get in touch with our risk advisory professionals.