How Cyber Security Professionals Are Being Tempted By Crime

IT security professionals are generally viewed as the good guys, right? You know the routine. If you have a problem, if no one else (in the office) can help, and if you can find them, maybe you can hire… the IT security guy.

It seems that not all is as rosy as you might imagine among IT professionals, though. A new report from anti-malware software firm Malwarebytes has suggested that security professionals are being lured into the murky world of cybercrime.

The report ‘White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime’, which can be downloaded from Malwarebytes’ website, polled 900 senior IT decision makers and IT security professionals in Australia, Germany, USA, the UK and Singapore “about the impact of cybercrime on their bottom line”. The first point of note is that the report’s findings certainly don’t paint a positive picture of the state of cybercrime in the world, with incidents having escalated and the sums companies are spending on security budgets rising substantially too, particularly in the US.

Mid-sized companies with 500-999 employees were found to be increasing their security budgets significantly, reporting a 36% budget rise, and this is obviously affecting profits. As for what that money is being spent on combating, the most common cause of all major global security incidents was found to be phishing (44%) with ransomware also ranking highly (26%).

But the most interesting findings of the report concerns the personal impact of cybercrime, and it seems that plenty of IT security professionals are having their heads turned. Among those surveyed, 46% agreed that it was easy to be involved in cybercrime without getting caught, and a significant 41% actually knew or have known someone who has participated in so-called ‘black hat’ activity, typically engaging in cybercrime for financial or personal gain.

The numbers are particularly worrying in the UK, as interest in black hat activity appears to be pretty high, with around one in five security professionals having considered it.

The report’s findings additionally point out that globally respondents believe under 5% of their colleagues are suspected of being ‘grey hats’ - people who are continuing as security practitioners while also being involved in cybercrime. Here in the UK, that figure is higher still, with nearly 8% of respondents suspecting their colleagues of being grey hats.

Given that cybercrime is commonly understood to be a bad thing, why is it that highly trained, very capable security professionals are considering, or are even actively in the process of, moving over to the dark side? It’s all about the money (of course). Given that a relatively high proportion of respondents said that it was quite easy to engage in cybercrime without getting caught, it’s probably not all that surprising to learn that those that do are looking to make some money on the side.

Security professionals (53%) generally agree that there’s more financial gain from fighting cybercrime than helping to facilitate it, but conversely over 62% of respondents globally said that the main perceived reason for becoming a ‘black hat’ was that more money could be earned than as a security professional. Couple these points with the fact that salaries for security professionals in the UK are low compared with their global counterparts and you have the beginnings of a potential recipe for trouble.

It’s clear that the UK is facing some very real cybersecurity problems according to Malwarebytes’ report, and it’s interesting to note that organisations in the UK had the lowest security budget of the five nations surveyed.

Maybe it’s time to show IT professionals more recognition - and remuneration?

Once a month, we send out an email newsletter, which includes highlights from our blog, exclusive content and the latest news from TMB. If you're like to receive it, add your details to www.tmb.co.uk/news-signup.