Companies Should Not Dismiss a Bit of Grey Hatting by Staff as Just a Form of Letting Off Steam
The cost of cybercrime is normally described as direct costs: the cost of remediation, forensic support, legal costs and compliance fines, etcetera. A new survey has sought to take a slightly different approach, looking at the organizational costs associated with cybercriminal activity.
Sponsored by Malwarebytes, Osterman Research surveyed 900 security professionals during May and June 2018 across five countries: the United States (200), UK (175), Germany (175), Australia (175), and Singapore (175). All respondents were employed either managing or working on cybersecurity issues in an organization of between 200 and 10,000 employees.
The survey (PDF) relates staff salaries, security budgets and remediation costs; and concludes that the average firm employing 2,500 staff in the U.S. can expect to spend more than $2 million per year for cybersecurity-related costs. The amount is lower in the other surveyed countries, but still close to, or above, $1 million per year. Interestingly, the survey took the unusual step to see if there is any correlation in the number of grey hats employed by a firm and the overall cost of cybersecurity.
The basic findings are much as we would expect, and have been confirmed by numerous other research surveys: most companies have been breached; phishing is the most common attack vector; mid-market companies are attacked more frequently than small companies and as frequently as large companies; and attacks occur with alarming frequency.
The most surprising revelation from this survey is the number of grey hats working within organizations, and black hats that have been employed by organizations. Grey hats are defined as computer security experts who may sometimes violate laws or typical ethical standards, but do not have the full malicious intent associated with a full-time black hat hacker.
Overall, the 900 respondents believe that 4.6 of their colleagues are grey hats — or, as the report puts it, a full-time security professional that is a black hat on the side. This varies by country: 3.4% in Germany, Australia and Singapore, 5.1% in the U.S., and as much as 7.9% in the UK.
Motivations provided by the respondents include black hat activity being more lucrative (63%), the challenge (50%), retaliation against an employer (40%), philosophical (39%), and, well, it’s not really wrong, is it (34%)?
The extent of the income differential between a white hat employee and a black hat hacker is confirmed in a separate report from Bromium, published in April 2018: “High-earning cybercriminals can make $166,000+ per month; Middle-earners can make $75,000+ per month; Low-earners can make $3,500+ per month.”
According to the Malwarebytes survey, the highest average starting salary for security professionals (in the U.S.) is $65,578 or just $5,464 per month (compared to $75,000 for middle-earning black hats). The difference is far greater in the UK, where the average starting salary for security professionals is less than $3,000 per month.
“It’s interesting,” Jerome Segura, lead malware intelligence analyst at Malwarebytes told SecurityWeek: “that despite the skills shortage, when companies hire new security staff, they generally don’t pay them very much. There’s kind of a contrast here, where companies and governments claim it’s difficult to find the right people — but when they do hire people they don’t always pay them accordingly.”
There appears to be an inevitable conclusion when correlating figures between the U.S. and the U.K. Not only do the U.S. companies pay their security staff much more than UK companies, they also have a considerably higher security budget ($1,573,197 in the U.S. compared to $350,157 in the UK). Can it be simply coincidence that the UK then has a higher percentage of grey hats within their companies, and that the cost of remediation is proportionately higher (14.7% of the security budget in the U.S., and 17.0% in the UK)?
It makes sense that remediation would take up a higher percentage of a small budget — and it is tempting to think that the higher rewards of black-hattery would be attractive to lowly paid British staff. The U.S government believes it has found an example in Marcus Hutchins, the British researcher who found and triggered the ‘kill-switch’ in WannaCry. That was pure white hat behavior — but Hutchins was later arrested in the US and accused of involvement in making and distributing the Kronos banking malware.
“Hutchins has many who support him,” commented Segura, “and many who don’t. But given the surprising number of employed white hats who are considered by their peers to be grey hats, it will be interesting to see how this turns out.”
Segura accepts that comparatively low pay in the industry could be a partial cause for the surprisingly high number of grey hats working in infosec. He points out that the highest percentage of grey hats appear to work for mid-size companies that cannot afford the highest salaries, and which predominate in the UK. But he does not believe that finance is the only motivating factor. “There is a tricky line in the security profession,” he told SecurityWeek. “Some people are pure hackers in the original non-malevolent sense, and they like to poke around to understand things better — even if it is strictly speaking illegal. It also helps the job — by peaking behind the curtain you get a better understanding of how the criminals operate and you can better defend against them.”
But there’s more. “Don’t forget the social issues,” he added. “Techies can be socially awkward and have difficulty in fitting into a corporate structure. The nerd in his bedroom is a bit of a cliche, but there is some truth to it. Working in a business corporate environment is not for everybody. And in infosec there is a lot of pressure. You can’t fit the work into 9-to-5, five days a week — so people work up to 80 hours or more per week without getting recompensed for
it. That’s a lot of mental pressure — there’s a lot of burnout in infosec. It’s tough, but that’s the reality. If you’re in infosec, you’re on call 24/7.”
It would be wrong for companies to dismiss a bit of grey hatting by staff as just a form of letting off steam — that could prove disastrous. But at the same time, the onus is on the employer to find the solution. Companies probably cannot compete with black hats financially — but they should do as much as possible to be as inclusive and supportive as possible to the pressures of working in infosec.
Related: Arrest Shines Light on Shadowy Community of Good, Bad Hackers
Related: The Legislative & Regulatory Minefield Confronting Security Researchers
Related: Don’t Be Afraid To Put On Your Grey Hat