Companies remain at risk for information theft

80% of corporate employees will reveal sensitive company information over the phone; 33% will reveal information via e-mails

TAMPA, Fla. Nov. 10, 2005 - As many as 80 percent of corporate employees will disclose sensitive company or customer information to people they do not know over the telephone, and up to 33 percent will do the same via email, according to RavenEye, an information security consulting business.

Those numbers came to light when the company conducted a series of information security assessments for several US-based companies, according to Joseph Kirkpatrick, RavenEye's president.

While trusted employees are the major source of confidential corporate information leaks, Kirkpatrick said, most business leaders remain unaware of what goes on under their very noses.

"Business leaders are largely ignoring this catalyst for information leaks in their companies," Kirkpatrick said. "Human error is the common element in the information theft stories which have been a fixture in the 2005 headlines. Staff awareness and training for this threat lags behind the growing rate of phishing emails, pretext calls and on-site impersonations, which utilize many social engineering elements."

Kirkpatrick said his company conducted a series of information security assessments for a number of different companies. RavenEye information security specialists used social engineering techniques to convince corporate employees to share such critical information as network IDs and passwords, which could be used to obtain sensitive company data.

Social engineers prey upon the human emotions of fear, trust, kindness and greed to trick others into sharing critical secret information, Kirkpatrick said.

Businesses will spend $45 billion worldwide on security technologies in 2006, according to a recent study by market reasearchers at IDC. But Kirkpatrick said technology alone will not addresss the risks that face corporate employees who, maliciously or unknowingly, provide access to an outsider seeking to circumvent the complicated security technologies protecting valuable information.

"Good security technology is available to companies, and they should have it in place," Kirkpatrick said. "But the most serious threat comes from the human factor. Curiously, that is the part of the equation that businesses continue to pay little attention to."

About RavenEye, based in Tampa, Fla., provides information security consulting services for businesses seeking to verify compliance wtih federal and state information security laws. Internal policies and procedures are put to the test during real-world attacks on the company’s sensitive information. Certified information security professionals pose as outsiders and/or employees to conduct assessments that will analyze the company's response during an attempt to steal information.