It's a shocking discovery that could shake your concept of security to its core: Those trusted to protect your networks are ignoring their own policies. Is something rotten in the state of cybersec?
Cybersecurity company Bromium has found that an average of 10% of security professionals have quietly paid ransomware demands, and that 35% have admitted to circumventing, disabling, or otherwise bypassing their organization's security.
"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," said Bromium co-founder and CTO Simon Crosby. "To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security."
SEE: Security awareness and training policy (Tech Pro Research)
The study also suggests something else that should alarm anyone with a network to secure: Those numbers only account for security professionals who admit their mistakes.
It's entirely possible the problem goes far deeper—so what should diligent security professionals and CXOs do?
One possible reason given for an increase in security circumvention is what the National Institute of Standards and Technology (NIST) calls "security fatigue," which it defines as "weariness or reluctance to deal with computer security."
Several respondents to the NIST's study said they were bombarded by constant security warnings, password change requests, extra layers of security, and accidental lockouts, leading to them doing the bare minimum necessary to get rid of the popups and notices. If it bothers users then it bothers security professionals too—they are human, after all.
SEE: Endpoint security: People are the biggest source of vulnerability (TechRepublic)
Another, more troubling, possibility is something we've written about at TechRepublic before: Those who consider themselves tech-savvy are more likely to get hacked. Professionals may have an attitude of "it won't happen to me" due to their knowledge and training, but one moment of complacency is all a dedicated hacker needs to find an exploit.
"[Highly privileged users are] inclined to believe that they are highly vigilant and therefore more secure, when in fact they have become blasé about the operational security needs," Crosby said. "Just as you cannot train users not to click on plausible looking links, attachments and files, you cannot train IT Pros to remain vigilant."
If it seems like there's not a definite answer here you're right. Humans are infinitely varied in their motivations and behaviors, making it nearly impossible to say conclusively anything aside from the common refrain: Humans are the weak link in cybersecurity.
Protections against external threats are essential, of course, but defending your network requires a lot of introspective security too. It would be easy to say you should make sure users are well trained and aware of clicking the wrong things, but the average person isn't who we're concerned with right now—it's the lax professional.
Bromium's solution comes in the form of its own micro-VM product, but if you don't have the budget or desire to completely overhaul your system that isn't a feasible option. That doesn't mean that you can't improve security, however.
IT and cybersecurity professionals are the most important line of defense for your users, and they should know how essential their every move is. It's excusable when someone without tech training clicks on a bad link. It isn't when a tech pro leaves the door open for a hacker.