New research has revealed that the opportunity to earn more money, that of doing something more challenging, and of retaliating against a former employer is driving more security professionals in the UK into engaging in Grey Hat activities than anywhere else in the world.
A Grey Hat activist is one who works both as a cyber-criminal as well as a security professional- something like Dr. Jekyll and Mr. Hyde, or Shutter Island if you may. However, according to research from Malwarebytes, this is not the result of alternate personalities, but a result of a combination of factors such as low starting salaries, disgruntlement at work, and various philosophical reasons.
The security firm revealed in its new "White Hat, Black Hat and the Emergence of the Grey Hat; The True Costs of Cybercrime" report that security budgets of organisations in the UK are lower than those in the US, Germany, Australia, and Singapore. As per the report, organisations in the UK with 2,500 or more employees had an average cyber-security budget of just under £200,000 last year and the same is expected to rise by a meager £20,000 this year.
Considering that organisations in the UK are spending their security budgets mostly on remediation activities (£188,000 per year), not much of the budget is left to cater for the salaries of cyber-security professionals who are expected to put hours upon hours on detection and remediation of cyber-threats. As a result, the average starting salary for an entry-level security professional in the UK is the lower than for those in the US, Germany, Australia, and Singapore.
Such being the case, many security professionals in the country are now turning to Grey Hat activities, with 1 in 13 of them in the UK involved in such activities compared to 1 in 22 globally. In a survey carried out by Malwarebytes, 53.7 percent of security professionals in the UK said they go into black hat activity as it gives them the opportunity to earn more.
While 46.3 percent of such professionals told Malwarebytes that it is easy to get into cyber crime without getting caught, 53.1 percent of them said they found it more challenging, 39.3 percent said they got into Grey Hat activity to retaliate against an employer, and 29.7 percent told the surveyors that they did not perceive Grey Hat activity as wrong.
"We are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation. We need to up-level the need for proper security financing to the executive and board level. This also means updating endpoint security solutions and hiring and rewarding the best and brightest security professionals who manage endpoint protection, detection and remediation solutions," said Marcin Kleczynski, CEO of Malwarebytes.
Considering that 97.1 percent of organisations in the UK had fallen victim to a significant security threat in the past 12 months compared to 72.6 percent of global organisations, it is necessary for organisations to have the right talent in place and to reward professionals to ensure they do not engage in Grey Hat activity or turn into malicious insiders for money.
Commenting on the rise in the number of Grey Hat workers in the UK, Joseph Carson, chief security scientist at Thycotic told SC Magazine UK that since most organisations in the UK are looking for experienced cyber-security workers instead of rookies, young security professionals are forced to perform activities that are questionably legal in order to take the quick path to financial success.
"In the UK most young people will unlikely be directly involved in cybercrime and UK based Grey or Blackhats hackers will sell their services to hackers in countries which have no laws for such crimes. This means it reduces the possibility of getting caught and is likely to encourage more of our youth deciding to take a path that could cause havoc globally in the future," he added.
Antti Tuomi, principal consultant at F-Secure, told SC Magazine UK that all Grey Hat security professionals may not be indulging in criminal activity as part of such activity involves the reverse engineering of enterprise software to find vulnerabilities and then reporting such vulnerabilities to organisations such as the Zero-Day Initiative in exchange for monetary reward.
"Although reversing is usually against the EULA, one could argue that finding these issues and reporting them somewhere, still in a way, makes the world a safer place, even if the means (reversing) and the driver (cashouts) are not on the pure white spectrum of things," he said.
Tuomi added that in order to fight back against Grey Hat activity, software vendors need to provide a bug bounty program with reasonable payouts and a transparent enough process.
"Instead of the exploits being sold to ZDI, if you offer a good enough compensation and do not "game the system" with claiming things are duplicates or have a smaller impact than they do, there’s a chance that freelancers and moonlighters might contribute towards improving your security instead of exploiting you," he added.