- We did a survey at RSAC in February that kind of blew our minds; so much so we surveyed more people to check our work!
- Security professionals admit to paying ransom (from ransomware) and not telling anyone what they’d done.
- When we went more broadly – U.S. and U.K. security pros – the numbers didn’t get better (they got worse).
Have you ever paid a ransom and not told anyone? Turns out many people have and we suspect that’s because it’s kind of embarrassing. You clicked on something you realize you shouldn’t have, the darn ransomware script runs and you realize you just got owned. The ransom isn’t that expensive and if you just pay it, it goes away. Or does it?
Sadly, there’s a good chance you’ve let someone into the network and the next breach won’t be as simple. And by not telling anyone, you’ve left the door open for the bad guys. Generally, we don’t expect you to know this. But we do expect security pros to understand. And that’s why we were so surprised that they admit to doing the exact same thing: paying ransoms and not reporting breaches.
Relying on end users is not the answer.
In addition to ransom and hiding breaches, these same folks admit to going around security to get their jobs done. This is consistent with other studies finding that security can be a problem and slow down worker productivity. The NIST study called it “security fatigue” and found related behaviors that put a company at risk.
“While we expect employees to find workarounds to corporate security. We don’t expect it from the very people overseeing the operation,” said Simon Crosby, co-founder and CTO of Bromium. “Security professionals go to great lengths to protect their companies, but to learn that their decisions don’t protect the business is frankly rather shocking. To find that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security. It’s one reason we pursued virtualization-based security. It takes the burden off the end-user and ensures IT and security teams protect their business assets and data.”
When it comes to cyber security, there are really two ways it’s being implemented today: either controls are mandated from the top or locked down so an employee cannot go around the protocol or, there are end-user controls that allow modifications and increased risk. In the first case, employees are limited in what they can do which can hinder business innovation. In the latter case, employees can choose to turn off security and put the business at tremendous risk. Either way, it’s a lose-lose situation when considered through the enterprise security lens.
With Bromium, the end user is relieved of duty. They can click with confidence because everything they do is contained in a micro-VM. This 90 second video shows how quickly we stop ransomware. With just a click, the micro-VM is closed, the session ended and the threat is gone. If you’re ready to stop blaming your end users and see how Bromium can work for you, let us know.