Business Negligence Of Social Engineering Hacks ‘Disaster Waiting to Happen’

Business Negligence Of Social Engineering Hacks ‘Disaster Waiting to Happen’


  • Security tests on 525 businesses discovered major susceptibility to social engineering hacking techniques
  • Almost three-quarters (71%) of businesses included in the test were breached by phishing attacks
  • Businesses are still making basic security errors – out-of-date software, weak passwords and insecure protocols were the most common vulnerabilities

Businesses across the globe risk being hit by potentially disastrous cyber-attacks because they aren’t adequately protecting themselves against basic social engineering techniques such as phishing, according to new research.

The second annual Penetration Risk Report from cybersecurity consultancy Coalfire tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities.

Employees at 71 percent of these businesses willingly offered up access credentials when targeted with phishing attacks by Coalfire’s penetration testers.  In 20% of cases, credentials were shared by more than half of employees.

Human error was a persistent theme across throughout the research with weak passwords and insecure internal procedures both in the top three most common vulnerabilities discovered by the research, alongside out-of-date software.

Andrew Barratt, UK managing director at Coalfire, said: “Our research proves that you’re only as strong as your weakest link when it comes to cybersecurity. A lot of businesses are taking steps to upgrade their security infrastructure, particularly as they migrate more systems into the cloud, but still aren’t addressing some of the fundamentals.

“The continued vulnerability to basic hacking techniques like phishing is a disaster waiting to happen for a lot of businesses. Coupled with the increased risk caused by out-of-date software and security misconfiguration our research uncovered, it’s clear that some routine security tasks are clearly still being neglected.

“It only takes one employee to click on the wrong link or unwittingly share sensitive information to a fraudulent email and a hacker is in. This makes security basics like limiting employee access based on their role as well as educating staff on how to use IT safely and how to spot suspicious activity vitally important.”

Organisations struggle to get cloud configurations right

Overall, businesses exhibited fewer high-risk vulnerabilities than they did in Coalfire’s 2018 report. But as firms move more systems into the cloud, coordinating and configuring multiple infrastructure providers and hybrid environments has become a major challenge.

Mike Weber, vice president Coalfire Labs – the security firm’s technical testing division – said: “We believe that the improved security postures we’re seeing are due to the shift toward cloud solutions. This reduces the need to secure and maintain on-premise IT assets and enables businesses to benefit from their service providers security infrastructure.

“There is a misconception from many that cloud adoption automatically means accepting more risk but this is only true if it’s done poorly.  Program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions when building applications in the cloud.”

 The threat landscape changes in the cloud

Coalfire Labs tested cloud service providers and general businesses separately to pinpoint the risks specific to each environment. For non-cloud enterprises the top three vulnerabilities were out-of-date software, insecure protocols and password flaws.

The top three cloud application vulnerabilities were cross-site scripting, injection and security misconfiguration.

 Retailers are streaking ahead when it comes to reducing risk

Coalfire’s research looked at five key sectors – tech, retail, healthcare, education and financial services. It found that retail businesses had made the most progress in reducing vulnerability in their IT environments.

Financial services saw the biggest increase in risk from external attacks, compared to 2018. Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges combined to produce a 17% external risk increase over the last year.

Big businesses close the gap

Coalfire’s 2018 report found that medium-sized businesses were generally better at protecting themselves against cybersecurity threats than their larger peers. But this has been flipped on its head this year with large enterprises, across all sectors, exhibiting less vulnerability.

The testing found that big businesses were more likely to have taken the time to proactively test solutions before going to market.

About the Penetration Risk Report 2019:

To produce this report, Coalfire’s specialist pen-testing division – Coalfire Labs – analysed 623 individual penetration tests carried out on 525 businesses from across the United States, Europe and the United Kingdom. These tests simulate a range of cyberattacks to assess how well businesses’ IT security is able to cope with them.

The research focused on entities from the following sectors: financial services, retail, healthcare, education, technology and the public sector. Business of all sizes were tested.

About Coalfire Labs
The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organizations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defences, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organization.

About Coalfire

Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout the United States and Europe.

For more information, visit

Contributed content