Take a look at how well top companies protect their information

Nov 1, 2011 10:05 GMT  ·  By

At this year's Defcon conference, researchers from Social Engineer tested the reactions of 14 companies to see how fast they give in to social engineering attempts. The results show that sooner or later most organizations fail.

As it turns out, businesses that deal with customers in retail settings tended to be more cautious when answering questions while those who rely on large call centers are the weakest.

In a simple 'capture the flag' game, contestants were asked to retrieve as many flags as possible, each flag being represented by a piece of information that belonged to a firm such as Apple, AT&T, Dell, IBM, McDonalds, Oracle or United Airlines.

The objective of the game was to obtain information such as "What operating system is in use?", "Is there a company VPN?", "New hire orientation information?" or "Where do they get copier paper?".

The figures show that while AT&T, Walmart, Symantec and McDonalds proved the highest resistance, Oracle was on the bottom of the chart obtaining less than 10 points out of a total of 50.

The subjects also had to be convinced to visit a certain URL, to see just how fast they would give in to an attempt that was purposed to serve malware. In the end, even if some of them put up a decent fight, they all gave in and visited the website.

When it comes to resistance, the most was put up by IBM and the least by Oracle, Verizon, Delta Airlines and Apple.

In most of the cases employees from support were targeted, the ones from retail stores and sales splitting half of the chart. To make sure they would succeed in the game, more than half of the contestants pretended to be customers, 30% preferring the employee approach.

While many of the organizations involved spend millions on security measures, it's clear that they still have a lot to work on when it comes to educating their staff on how to handle social engineering attempts.