Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms

Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms

It's a shocking discovery that could shake your concept of security to its core: Those trusted to protect your networks are ignoring their own policies. Is something rotten in the state of cybersec?

Image: iStock/hjalmeida

Cybersecurity company Bromium has found that an average of 10% of security professionals have quietly paid ransomware demands, and that 35% have admitted to circumventing, disabling, or otherwise bypassing their organization's security.

The startling numbers come from research that began at RSAC 2017 and continued afterward due to the numbers above, which startled Bromium's research team.

"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," said Bromium co-founder and CTO Simon Crosby. "To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security."

SEE: Security awareness and training policy (Tech Pro Research)

The study also suggests something else that should alarm anyone with a network to secure: Those numbers only account for security professionals who admit their mistakes.

It's entirely possible the problem goes far deeper—so what should diligent security professionals and CXOs do?

Identifying a root cause

One possible reason given for an increase in security circumvention is what the National Institute of Standards and Technology (NIST) calls "security fatigue," which it defines as "weariness or reluctance to deal with computer security."

Several respondents to the NIST's study said they were bombarded by constant security warnings, password change requests, extra layers of security, and accidental lockouts, leading to them doing the bare minimum necessary to get rid of the popups and notices. If it bothers users then it bothers security professionals too—they are human, after all.

SEE: Endpoint security: People are the biggest source of vulnerability (TechRepublic)

Another, more troubling, possibility is something we've written about at TechRepublic before: Those who consider themselves tech-savvy are more likely to get hacked. Professionals may have an attitude of "it won't happen to me" due to their knowledge and training, but one moment of complacency is all a dedicated hacker needs to find an exploit.

"[Highly privileged users are] inclined to believe that they are highly vigilant and therefore more secure, when in fact they have become blasé about the operational security needs," Crosby said. "Just as you cannot train users not to click on plausible looking links, attachments and files, you cannot train IT Pros to remain vigilant."

If it seems like there's not a definite answer here you're right. Humans are infinitely varied in their motivations and behaviors, making it nearly impossible to say conclusively anything aside from the common refrain: Humans are the weak link in cybersecurity.

How to keep your organization safe from itself

Protections against external threats are essential, of course, but defending your network requires a lot of introspective security too. It would be easy to say you should make sure users are well trained and aware of clicking the wrong things, but the average person isn't who we're concerned with right now—it's the lax professional.

Bromium's solution comes in the form of its own micro-VM product, but if you don't have the budget or desire to completely overhaul your system that isn't a feasible option. That doesn't mean that you can't improve security, however.

  • Minimize security fatigue by using a single sign-on system like Okta, Shibboleth, or OneLogin. Users can store all their credentials behind one secure system, saving time and headaches.
  • Do a better job of filtering security alerts and notifications to your IT team. It may take more time to set up a system that minimizes notices and only sends them to the necessary people, but it will make alerts seem more important when they are received.
  • If necessary, create an extra level of administrative privileges that lives between regular users and true admins. Restrict privileges a bit to force your line IT staff to conform to security standards.
  • Train, train, train, then keep training. Make sure your team knows you'll hold them accountable when something happens (and be sure to say when, not if).

IT and cybersecurity professionals are the most important line of defense for your users, and they should know how essential their every move is. It's excusable when someone without tech training clicks on a bad link. It isn't when a tech pro leaves the door open for a hacker.

The three big takeaways for TechRepublic readers:

  1. Bromium found that 10% of security professionals paid ransomware demands, and 35% admitted to circumventing company security policy.
  2. Security fatigue affects IT professionals just as much as regular users. That combined with a belief among tech pros that they're well trained and hyper-vigilant is a recipe for disaster. It only takes one moment of complacency to put the whole network at risk.
  3. Work to eliminate security fatigue, increase the relevance and importance of alerts to your IT team, and reinforce the importance of constant security vigilance. If necessary, put restrictions on your IT team to force them to conform to security standards.

Views: 45

"Destroying the New World Order"

TOP CONTENT THIS WEEK

THANK YOU FOR SUPPORTING THE SITE!

mobile page

12160.info/m

12160 Administrators

 

Latest Activity

Doc Vega posted a blog post
2 hours ago
Saint Quinn favorited Burbia's video
20 hours ago
Doc Vega posted blog posts
yesterday
Burbia commented on tjdavis's blog post The Jewish Couple That Taught Bob Dylan Hebrew and Introduced Him to Zionism
"Haaretz put this story behind a pay wall. Sali Ariel and Terry Noble were the names of the couple…"
Wednesday
William Heckman is now a member of 12160 Social Network
Wednesday
cheeki kea commented on tjdavis's photo
Wednesday
cheeki kea commented on cheeki kea's video
Thumbnail

This Woman DESTROYED Harley-Davidson's Future Forever

"It's a sad day on the highway. But I guess the show must go on. Watch out for the ruination of…"
Wednesday
cheeki kea posted a video

This Woman DESTROYED Harley-Davidson's Future Forever

This Woman DESTROYED Harley-Davidson's Future ForeverWelcome to Ride Radar – Your Frontline Source for Motorcycle Deals, Trends & Market Mayhem.Looking for t...
Wednesday
tjdavis posted a photo
Wednesday
Burbia posted a status
"Who knew releasing the MLK files and literally deflecting, it ends up implicating himself with the Epstein Files."
Tuesday
Burbia posted a video

Dan Bilzerian DEMOLISHES MAGA Nutjob Patrick Bet-David on His Own Show

Watch as two powerhouse personalities collide in this no-holds-barred debate on one of the world’s most contentious issues. Patrick Bet-David, known for his ...
Monday
Doc Vega's 7 blog posts were featured
Sunday
tjdavis's 2 blog posts were featured
Sunday
Less Prone favorited tjdavis's blog post Track AIPAC
Sunday
FREEDOMROX's blog post was featured

MRNA VACCINES: Question

Hello my fellow sojourners,I know it has been five years since the Plandemic, but one question has…See More
Sunday
Less Prone favorited FREEDOMROX's blog post MRNA VACCINES: Question
Sunday
cheeki kea commented on cheeki kea's photo
Jul 19
cheeki kea posted a photo
Jul 19
Doc Vega posted blog posts
Jul 18
Doc Vega commented on Doc Vega's blog post Marjory Taylor Green Proposes Bill Abolishing Geoengineering or Weather Modification
"cheeki kea Marjory is in a daily battle with Democrats on the hill constantly coming up with more…"
Jul 18

© 2025   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2019 - all rights reserved. unless otherwise noted