Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms

By Brandon Vigliarolo | May 9, 2017, 10:27 AM PST

http://www.techrepublic.com/article/study-finds-cybersecurity-pros-...

Cybersecurity company Bromium has found that an average of 10% of security professionals have quietly paid ransomware demands, and that 35% have admitted to circumventing, disabling, or otherwise bypassing their organization's security.

The startling numbers come from research that began at RSAC 2017 and continued afterward due to the numbers above, which startled Bromium's research team.

"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," said Bromium co-founder and CTO Simon Crosby. "To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security."

SEE: Security awareness and training policy (Tech Pro Research)

The study also suggests something else that should alarm anyone with a network to secure: Those numbers only account for security professionals who admit their mistakes.

It's entirely possible the problem goes far deeper—so what should diligent security professionals and CXOs do?

Identifying a root cause

One possible reason given for an increase in security circumvention is what the National Institute of Standards and Technology (NIST) calls "security fatigue," which it defines as "weariness or reluctance to deal with computer security."

Several respondents to the NIST's study said they were bombarded by constant security warnings, password change requests, extra layers of security, and accidental lockouts, leading to them doing the bare minimum necessary to get rid of the popups and notices. If it bothers users then it bothers security professionals too—they are human, after all.

SEE: Endpoint security: People are the biggest source of vulnerability (TechRepublic)

Another, more troubling, possibility is something we've written about at TechRepublic before: Those who consider themselves tech-savvy are more likely to get hacked. Professionals may have an attitude of "it won't happen to me" due to their knowledge and training, but one moment of complacency is all a dedicated hacker needs to find an exploit.

"[Highly privileged users are] inclined to believe that they are highly vigilant and therefore more secure, when in fact they have become blasé about the operational security needs," Crosby said. "Just as you cannot train users not to click on plausible looking links, attachments and files, you cannot train IT Pros to remain vigilant."

If it seems like there's not a definite answer here you're right. Humans are infinitely varied in their motivations and behaviors, making it nearly impossible to say conclusively anything aside from the common refrain: Humans are the weak link in cybersecurity.

How to keep your organization safe from itself

Protections against external threats are essential, of course, but defending your network requires a lot of introspective security too. It would be easy to say you should make sure users are well trained and aware of clicking the wrong things, but the average person isn't who we're concerned with right now—it's the lax professional.

Bromium's solution comes in the form of its own micro-VM product, but if you don't have the budget or desire to completely overhaul your system that isn't a feasible option. That doesn't mean that you can't improve security, however.

• Minimize security fatigue by using a single sign-on system like Okta, Shibboleth, or OneLogin. Users can store all their credentials behind one secure system, saving time and headaches.
• Do a better job of filtering security alerts and notifications to your IT team. It may take more time to set up a system that minimizes notices and only sends them to the necessary people, but it will make alerts seem more important when they are received.
• If necessary, create an extra level of administrative privileges that lives between regular users and true admins. Restrict privileges a bit to force your line IT staff to conform to security standards.
• Train, train, train, then keep training. Make sure your team knows you'll hold them accountable when something happens (and be sure to say when, not if).

IT and cybersecurity professionals are the most important line of defense for your users, and they should know how essential their every move is. It's excusable when someone without tech training clicks on a bad link. It isn't when a tech pro leaves the door open for a hacker.

The three big takeaways for TechRepublic readers:

1. Bromium found that 10% of security professionals paid ransomware demands, and 35% admitted to circumventing company security policy.
2. Security fatigue affects IT professionals just as much as regular users. That combined with a belief among tech pros that they're well trained and hyper-vigilant is a recipe for disaster. It only takes one moment of complacency to put the whole network at risk.
3. Work to eliminate security fatigue, increase the relevance and importance of alerts to your IT team, and reinforce the importance of constant security vigilance. If necessary, put restrictions on your IT team to force them to conform to security standards.