A new global survey of 900 cybersecurity professionals published this week by Malwarebytes suggests cybersecurity professionals have some serious doubts about the motivations and ethics of some of their colleagues. The survey finds that cybersecurity professionals in the U.S. believe one in 20 of their colleagues may be a so-called “grey hat.” That equates to five percent of all cybersecurity professionals in the U.S. are suspected of being grey hats. That ratio increases to one in 13 among survey respondents living in the United Kingdom.
There’s no hard evidence concerning the actual number of grey hats there are among the cybersecurity community. Clearly, however, there’s a significant amount of suspicion. Grey hats don’t typically use their skills to compromise their own organizations. But they do essentially use the skills they acquire in their day jobs to hack into other organizations for a fee, says Adam Kujawa, director of Malwarebytes Intelligence.
Individuals that are ethically and morally challenged are not uncommon in any profession. There are good reasons municipalities invest in internal affairs departments to investigate the police. Temptations are simply too great. A cybersecurity professional making $65,000 a year is being asked to thwart attacks by so-called black hats that can make as much as $166,000 a month, notes Kujawa.
The timing of the Malwarebytes report is far from coincidental given the annual Black Hat USA 2018 conference being held this week in Las Vegas. The very Black Hat name itself has been a subject of controversy because many IT and cybersecurity professionals feel it doesn’t promote the values of the thousands of so-called white hats that attend the conference.
Tension concerning the activities of grey hats is rising because the cost of cybersecurity breaches continues to rise. The Malwarebytes report finds that in 2018 organizations in the U.S spent on average $876,225 on remediation. The survey finds a full $516,405 was spent on remediating threats caused by the malicious insider or “grey hat.”
“It’s just getting too expensive,” says Kujawa.
Chance are it won’t be long before many organizations start setting up their internal cybersecurity affairs departments. Many of them already rely on external expertise to make sure their personnel have not been compromised in one way or another. It doesn’t all that take much to exploit someone’s gambling habit or intimidate someone engaged in illicit activities into giving up credentials.In 2017, US had the highest overall cost for a major remediation event, $876,225 ... Of this spend, $516,405 was spent on remediating threats caused by the malicious insider or “grey hat.” ~@mvizard Click To Tweet
The arrest, conviction, and incarceration of grey hats has not been occurring with the same fervor as the pursuit of black hats. But as the cost of cybersecurity breaches continues to rise it’s not only a matter of time before some high-profile examples are made to deter others from giving into similar temptation.
US security budgets climbed faster; organizations spent 15 percent of their security budgets on remediation: In the US, the average security budget was $930,004 with an increase to $1,119,821 in 2018. US security budgets are projected to climb 20 percent faster than the other regions surveyed with 15 percent spent on remediating active compromises (malware intrusions, threat remediation, forensics, etc.)
Cost to remediate in the US is astronomically high: In 2017, US had the highest overall cost for a major remediation event, $876,225, spending more than 8 times more than businesses in the UK. Of this spend, $516,405 was spent on remediating threats caused by the malicious insider or “gray hat.”
Malicious insiders are harder to find – UK-based respondents believe that one in 13 of their colleagues are “gray hats” – working as security professionals while also operating as cybercriminals,
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.