Cybersecurity Pros Are Hiding the Breaches: This Must Stop

Even the security good guys are failing us. That’s the upshot from the new survey of cybersecurity experts conducted by Bromium, a cybersecurity firm based in Cupertino, California.

The company surveyed attendees at the RSA Conference 2017 and others as part of a combined extended study and found startling results:

• On average, 10% of security professionals said they had paid a ransom or hid a breach without telling their team members (5% at RSA, 15% in the extended study). Note: some 638 million ransomware attacks took place in 2016, which implies that tens of millions of such attacks are likely going unreported.
• On average, 35% of security professionals said they went around, turned off, or bypassed their own corporate security settings (38% at RSA, 32% in extended study of United States and United Kingdom security professionals).

The folks at Bromium said the results “kind of blew their minds.” No kidding. This level of failure to act is shocking. But on further analysis, perhaps understandable. The bad guys have both the incentives and easy access to the tools needed to break into servers and cause havoc.

For grid operators, this is not good news. An updated U.S. News & World Report article last year noted it took hackers just 22 minutes to get employees at an electric facility north of Seattle to bite on phishing emails. It was only an exercise, but proved the point that the grid is vulnerable and that humans are often the weakest link.

Security Fatigue

One of the root causes among cybersecurity professionals for this lack of diligence is security fatigue, as pointed out in a TechRepublic story. The National Institute of Standards and Technology (NIST) defines this fatigue as “weariness or reluctance to deal with computer security.” The author recommends that companies reduce such fatigue by boosting the relevance and importance of security alerts to an IT team and emphasizing the need for constant security vigilance.

It is hard to argue with that recommendation. However, I would take things a step further: institute regular focused training on how to combat threats combined with controlled drills or testing, like the one at the plant near Seattle. It is unacceptable that people we need to trust have such careless attitudes and avoid actions in the face of threats. It is hard to admit, but we are in far deeper trouble on this front than imagined. We must do better.