The nasty thing with social engineering is that the victim falls for a scam, and ultimately helps cyber criminals to achieve their goal. Typically they want to break into a large computer system or simply access the victim's bank account. While computer systems are protected with advanced technology, social engineering has become the most successful method of breaking into mobile devices, computers, and networks.

Recently, Sans Institute and Bishop Fox conducted an insightful survey on cyber security from a fresh perspective. The researchers asked about 300 ethical hackers - security professionals who work as consultants, inspectors and security testers - about their favorite methods and tools for finding problems in clients' computer networks. 83.4% of respondents were based in the US.

I focus on a few key findings of the survey, but you can find the entire report here.

Which attack method is the most likely to succeed?

• Two attack techniques are clear winners: 32.1% of social engineering attacks succeed and phishing 17.2%.
• Zero day attacks get plenty of publicity but only 3.8% are successful, but man-in-the-middle attacks are even worse with only 1.4% success rate.
• So, the easiest way to break into computer systems according to cybersecurity experts is social engineering (phishing is a social engineering technique, after all).
• The high success rate of social engineering inevitably means that we are going to encounter ever more attempts that try to lure us to do something we shouldn't do. A consequence may be that quite soon we may have to stop clicking all links that we receive via email or a messaging app. Clicking links posted by users on social media services must be avoided as well. It really means that all links must be avoided. Only if we can verify that the content was published by a publication we trust we can follow the link.
• Another consequence is that we may have stop downloading phone apps that come from sources we don't know or can't verify. Google Play Store and Apple App Store can include tested and verified apps that still feature malware. Recently, security experts discovered 16 apps featuring malware at Google Play that had been downloaded 20 million times.

How long does it take to break in to a target system?

• About 25% of experts said they can enter a victim's system in 3 or 5 hours.
• 57% said they can break in within 10 hours.
• This is good news for individuals and small businesses who are not high profile targets. If your phone, PCs, and routers have solid basic protection up-to-date and active, hackers won't spend much time knocking on your door. They will quickly move on to the next target. Here are more tips for securing the basic things.
• I have followed on a server console when hackers are trying to break in to our content management system where we publish our articles. A typical scenario is that they try to break in for a few minutes, maximum for an hour, and move on. Even though the attacks tend to be automated, they don't last long once they realize it won't be easy to get in.

64% of experts say they can quietly hoover data from the victim's system in less than five hours after they have managed to break in. 41% only need two hours or even shorter time to access the data.

In a fast attack scenario, cyber criminals may break in, copy the data, and perhaps lock it down for ransom in a couple of hours. Other type of attackers may choose to stay in a target system quietly, waiting for commands to be executed later. So, not to let anyone in is the objective for every organization and individual who is planning to protect data and devices.

The internet, email or social media is not going away because of serious cyber crime problems. What is going to end is our current careless behavior in the digital world. Too many cyber attacks succeed because victims help attackers to get in. Social engineering works. It has to end. We have to learn safer ways to behave in the digital world.

The Register reported about the research.

Header image by Gerd Altmann.