[BreachExchange] Over a Third of Security Pros Bypass Their Own Corporate Security Settings

Destry Winant destry at riskbasedsecurity.com
Thu May 11 00:23:54 EDT 2017


A recent Bromium survey
<https://blogs.bromium.com/security-pros-pay-ransom-hide-breaches/> of 210
security professionals in the U.S. and U.K. found that 35 percent of
respondents admitted having gone around, turned off, or bypassed their own
corporate security settings.

Even more alarmingly, 10 percent of respondents admitted having paid a
ransom or hid a breach without alerting their team.

"While we expect employees to find workarounds to corporate security, we
don't expect it from the very people overseeing the operation," Bromium
co-founder and CTO Simon Crosby said in a statement
"Security professionals go to great lengths to protect their companies, but
to learn that their decisions don't protect the business is frankly rather

"To find from their own admission that security pros have actually paid
ransoms or hidden breaches speaks to the human factor in cyber security,"
Crosby added.

A Need for Training

Still, a recent ESET survey
of over 400 U.S. adults found that a third of respondents said they hadn't
received any form of cyber security training at their organization, and 62
percent said they don't receive recurring cyber security training.

Forty-nine percent said they would take a cyber security training course at
their workplace, even if it were optional to attend.

Respondents said they feel like their largest cyber security knowledge gaps
are in email threats (30 percent), protecting mobile devices (30 percent),
ransomware (29 percent), smart or connected devices (29 percent), and
creating strong passwords (16 percent).

Strikingly, 20 percent of respondents said they're "not at all aware" of
cyber security best practices, while 52 percent said they're "somewhat

Cyber Security Novices

A separate MediaPro survey
of 847 retail employees recently found that fully 71 percent were cyber
security risks or novices who would could benefit from enhanced awareness
of privacy and security risks.

Survey respondents' cyber security awareness was weakest with regard to
incident reporting, identifying personal information, working remotely,
cloud computing, and acceptable use of social media.

Twenty-six percent of respondents thought it was acceptable to use a
personal USB drive to transfer work documents when working remotely, and 25
percent failed to identify a sluggish computer as a potential clue that
their computer might be infected.

Twelve percent of respondents chose to use free, public Wi-Fi at a cafe to
complete their work for the day, and 47 percent said they'd hold the door
open for someone who appeared to work with them even if they didn't have ID.

"The results of this survey strongly suggest retailers need to rethink
cyber security and data privacy as matters of overall risk management, not
just check-the-box compliance based on PCI standards alone," the MediaPro
report states. "Retailers limit their employee education to PCI training at
their own risk, as threats to an organization's financial and reputational
wellbeing exist beyond the typical coverage of this training."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170510/31799369/attachment.html>

More information about the BreachExchange mailing list