Social engineering attacks remain the number one concern for security professionals in 2018

Workers who violate security standards and easily fall victim to social engineering attacks remain the biggest risk to a company’s cyber safety.

This is according to a new report from Black Hat and UBM, which polled 315 international IT professionals about their practices and attitudes towards security.

The Black Hat USA 2018 Attendee Survey, released today, found that 38% of infosec pros perceive the biggest weakness to be “end users who violate security policy and are too easily fooled by social engineering attacks”.

This figure, which was the same as in 2017, points to a growing concern for Black Hat general manager Steve Wylie.

He told The Daily Swig: “This data is consistent with results from last year, so while it was not a total surprise, it’s still a large concern that highlights the need for expanding and improving education in the area.”

A further 34% of respondents said that a lack of people and skills is the main contribution towards bad security practices.

And 40% said their single greatest concern is social engineering attacks, such as phishing emails and social network exploits.

Collective responsibility

These results alone aren’t the most surprising, given the increasing number of attacks designed to exploit human error.

But the report also raised questions surrounding the practice of bug bounty programs and whether they threaten the important practice of responsible disclosure.

When asked, 87% of respondents said that researchers should follow exercise responsible disclosure when they discover a new vulnerability.

Responsible disclosure states that researchers should give a company or organization a fair amount of time to patch the bug before going public with their findings.

But the growing trend that has seen governments and large companies launch bug bounty programs has also propelled a greater issue into the spotlight.

Researchers entering a bug bounty are not only paid for their work, but it isn’t compulsory for the findings to be made public.

This can weaken the need for traditional rules, the report suggests, however the results of the survey proved that disclosure is still an important obligation within the community.

Wylie added: “The emergence of bug bounty programs certainly put coordinated disclosure into question and we felt it necessary to address the question this year to understand what’s happening.

“Through our research, we found that the spirit of coordinated disclosure is alive and well among the community of ethical hackers.

“Additionally, the large number of research submissions Black Hat receives year after year further proves the community’s dedication to coordinate disclosure.”


Aside from security issues, privacy and how data is collected and shared was also a hot topic in 2018.

In the wake of the Facebook data-harvesting scandal earlier this year and the introduction of GDPR in May, 55% of those polled said they are advising others to be careful about the data they are sharing online.

A further 23% said they are tightening the privacy settings of their corporate Facebook accounts.

And 18% said they have advised their organization to radically reduce the use of Facebook.

The report also found that while 44% of people have invested in GDPR compliance, 30% said they are behind in becoming compliant or don’t know their GDPR status.

Wylie commented: “In light of recent news spanning Facebook, GDPR and various security breaches, it has also unveiled some really alarming data around privacy.

“Most notably, only 26% of respondents said they believe it will be possible for individuals to protect their online identity and privacy in the future.

“A statistic that is specifically alarming considering respondents are the experts currently working in the field to protect privacy and sensitive data.”

Black Hat USA 2018 takes place at the Mandalay Bay, Las Vegas, on August 4-9.