Cybersecurity professionals tasked with protecting their organization from threats sometimes turn to black hat activity themselves to earn more money, costing their organization more in the process, according to a Wednesday report from Malwarebytes and Osterman Research.
The report surveyed 900 security professionals worldwide. Globally, 46% of these professionals agreed that it is easy to get into cybercrime without getting caught. Another 41% said they either know or have known someone who has participated in this "gray hat" activity, straddling the line between cybersecurity worker and hacker, the report found.
Security professionals said they believe that 4.6% of their fellow security professionals are gray hats—representing more than one in every 22 people working in the cybersecurity space. Some 22% of respondents have been approached about participating in black hat activity, and 12% said they have considered taking part, the report found.
SEE: Incident response policy (Tech Pro Research)
Overall, 69% of respondents agreed that there is more money to be made in fighting cybercrime than in becoming a cybercriminal. However, when asked about the perceived reasons why someone might turn into a gray hat, 63% said to earn more money than they would as a security professional. Another 50% cited the challenge that it offers, 40% said retaliation against an employer, and 39% said for philosophical reasons, or for some sort of cause. Another 34% said that it was because this activity was not perceived as being wrong.
The most lucrative cybercriminals can earn in excess of $166,000 per month, a previous Bromium report cited by Malwarebytes found. Mid-range hackers can make $75,000 per month, and low-end ones can earn more than $3,500 per month. Meanwhile, in the US, average starting salaries for cybersecurity professionals are $65,578 per year, the report noted.
Enterprises need trustworthy cybersecurity professionals more than ever, especially as the cost of cyber incidents continues to rise. Globally, the average cost for remediating a single security event is about $330,000 for a 2,500-employee organization. This price includes IT and other labor, software and hardware solutions, legal fees, direct costs (like paying a ransom), and fines, the report noted.
In 2017, the US had the highest overall cost for a major remediation event, at $875,225, the report found. Of this cost, $516,405 was spent on remediating threats caused by malicious insiders, or gray hats.
With the number of threats companies face, an organization of 2,500 employees in the United States can expect to spend about $1.9 million per year for cybersecurity-related costs, according to the report.
To learn more about how to reduce insider security threats at your organization, click here.
The big takeaways for tech leaders:
- 46% of cybersecurity professionals agreed that it is easy to get into cybercrime without getting caught. — Malwarebytes, 2018
- Globally, the average cost for remediating a single security event is about $330,000 for a 2,500-employee organization. — Malwarebytes, 2018
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.