Over a third of information security professionals have admitted bypassing corporate security controls, while 10% have covertly paid ransomware authors or otherwise hidden a breach, according to new research from Bromium.
The security vendor polled 210 security professionals, at RSA Conference in February and additionally afterwards in the US and UK to verify the surprising findings.
A total of 35% claimed they have turned off or bypassed security settings in the course of their jobs.
“We often hear that people are frustrated by security constraints, as they stop them from carrying out their role as effectively as possible,” Bromium’s EMEA CTO, Fraser Kyne, told Infosecurity Magazine.
“Security pros should be expected to understand the risks associated in circumventing security controls, but this doesn’t mean they won’t do it if the situation requires it.”
Kyne argued that security teams should be leading by example, but that ultimately human behavior is always the weakest link when it comes to cybersecurity.
“Even those that are the most aware of the risks will bypass security processes if it helps them to conduct their work more effectively," he said.
“This underlines the importance of nullifying user-introduced threats, rather than trying to control user behavior with strict codes of conduct. Rather than putting in place a bunch of stops and checks that become a hurdle to employees’ ability to get things done, organizations should be looking for a way to give their employees the freedom to work efficiently without worrying about security threats.”
Similarly surprising findings pointed to cybersecurity professionals effectively giving in to the black hats by admitting to paying ransomware authors or hiding a breach without telling their team.
This calls to mind a similar study in 2015 when AlienVault polled 1000 security professionals at RSA Conference, only to find one in five had witnessed a company hide or cover up a breach.
This kind of behavior is going to become increasingly risky with the introduction of the European General Data Protection Regulation (GDPR) next May, which will mandate 72-hour breach notifications and levy heavy fines on erring companies.