The
survey demonstrates the strength of a hacking technique known as
social engineering, when information is coaxed from people rather
than found in computer systems.
A team of interviewers from the Infosecurity Europe conference
conducted the research, offering participants a bar of chocolate
for their participation in a fake survey designed to elicit their
passwords from them. Half of the interviews were with general
office workers on their daily commute, but half were conducted with
IT workers attending a conference.
The person posing as a researcher asked each person what they
thought the most common password was, and then what their password
was. Forty per cent of commuters and 22% of IT workers immediately
gave up their password.
The remainder were then asked whether the password was their
child's name, a football team or a family pet, then tried guessing
what it might be based on those answers. A further 22% of commuters
and 42% of IT workers gave up their password under this
questioning. In total, 64% of all respondents told the researcher
their password.
The security lapse was particularly damaging in the case of the
IT workers, and not just because they should be more aware of
security policies which advise against telling anyone a password.
Because they were attending a conference, their names and
organisations were readable from their badges, which would make it
very easy for someone to impersonate them on a company network.
"This survey shows that even those in responsible IT positions
in large organisations are not as aware as they should be about
information security," said Sam Jeffers, the event manager for
Infosecurity Europe 2007. "What is most surprising is that even
when the IT professionals became slightly wary about revealing
their passwords, they were put at their ease by a smile and a bit
of smooth talk."
The survey also found that workers were more trusting of the IT
department than of their boss. It found that 39% of workers would
give their password to someone from the IT department who claimed
to need it, while just 32% would give it to their manager.
Another Infosecurity Europe survey recently found that a third
of businesses do not report e-crime because they fear the adverse
publicity that comes from exposure as the victim of hacking
attacks.
The survey of 20 chief security officers of large businesses,
fear of reputational loss stops even large firms from reporting
attacks. Tony Neate, managing director of government-backed online
safety body Get Safe Online, said that reporting e-crime benefits
all businesses.
"In order to be effective we need to know what the scale of the
problem is, this can only be measured if we report incidents when
they occur," said Neate. "How and who we report to is a matter for
debate, whether it is the internet service provider, bank, or local
police. Without collating the scale of the e-crime problem, we will
never truly be aware of the cost to society at large and the
measures that need to be put in place to fight it."
