the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

This week is Information Security Awareness Week in the United Kingdon for 2008, and as they did last year, Infosecurity Europe did a social engineering susceptibility survey. The published results showed that 21 percent of the people surveyed were willing to share their account passwords for a chocolate bar.

The survey of 576 office workers was conducted outside a major railway station in London. Some of the statistics were alarming, including one that showed that women are more than four times as likely as men to share their passwords with attractive well dressed “market researchers”.

When asked if they would give their passwords to someone who phoned claiming to be from the information technogology department, 58 percent of those intereviewed said that they would.

Some other interesting results showed that 31 percent of people used the same password for all systems, but that a few users had to keep track of as many as 32 different passwords. Also, 61 percent of the office workers gave out their birthdates, which along with your contact information, is a good start for an identity thief.

This type of research just goes to show how highly susceptible people are to social engineering techniques. The market researchers weren’t even set up at a kiosk inside the station, but were out on the street. What’s not clear is how many of those answering the survey gave false information just to get a candy bar. It’s possible that women are more than four times as smart as men at social engineering the social engineers to get a candy bar.

Although the 21 percent willing to share their password is much lower than the 64 percent from the 2007 survey, we have a long way to go as far as educating the public about awareness of social engineering attacks as well as basic information security.

When filling out your contact information for a drawing, please don’t provide your birthdate, or any information besides your mailing address and telephone number. It’s recommended that you don’t even provide the name of your employer or your e-mail address.