IT Leadership

The Perils of IT Security Hubris

Corporate cybersecurity has been increasingly compromised since businesses and organizations began implementing work-from-home (WFH) policies in March as the pandemic continued its spread.

Malwarebytes in June set out to measure the how corporate IT leaders reacted to the pandemic; and what strategies are planned as they look forward. The antimalware software firm surveyed more than 200 IT experts at companies of various sizes. Those survey results, combined with the firm’s internal telemetry, found that many IT heads might be overconfident about the cybersecurity protocols and procedures they have in place.

For example, 44 percent of the respondents did not provide cybersecurity training to the workforce, 45 percent did not perform security and online privacy analyses of software tools deemed necessary for the transition to WFH, and 18 percent said cybersecurity was not a priority for their employees.

Despite this, more than 70 percent of the respondents to Malwarebytes’ survey gave their organization a score of 7/10 when asked to determine their readiness to transition to WFH.

“This may be an example of an often difficult-to-measure phenomenon that we call security hubris, also known as overconfidence in limited security measures deployed,” the survey stated.

Perception vs. Reality

There’s no question that the WFH trend has seen an increase in activity from hackers.

“We’re seeing a strong uptick in phishing attacks due to the COVID-19 pandemic,” Chlo Messdaghi, VP of Strategy at Point3 Security told TechNewsWorld.

“For example, we’re seeing increasing attempts by threat actors to get into companies through their employees’ personal email addresses and SMS messages,” Messdaghi said. “It’s all but irresistible to bad actors because this pandemic is making their jobs so much easier.”

Corporate IT must be aware of this, so why the dissonance between the respondents’ self-assessments and reality?

“There’s a problem embedded within security hubris that exists in many other spheres — we don’t know what we don’t know,” David Ruiz, online privacy advocate at Malwarebytes Labs, told TechNewsWorld.

Security hubris is widespread, “but not through any malicious intent,” Ruiz said. Sometimes, it’s due more to focusing on only one aspect of cybersecurity rather than ignoring the problem, such as, for example, the IT professional who focuses on outside threats but forgets about insider threats, or the reverse.

“Some of the enterprises claiming to be ready really are ready — not necessarily perfectly ready, because perfect security is a myth, but reasonably ready,” Andy Ellis, Chief Security Officer at Akamai Technologies, a global content delivery network, cybersecurity, and cloud service company, told TechNewsWorld.

“Other organizations might think that they are ready, but they’re just mistaken,” Ellis said. “Still others might know they aren’t ready but who wants to paint a target on their back by admitting that?”

New Threat Frontier

It could be that IT professionals have not had sufficient time to deal with the new dimension of coverage the WFH phenomenon has added, as businesses moved to WFH very rapidly.

Akamai found that consumption of Internet service over enterprise-connected devices increased 40 percent in March, and traffic to malware-associated websites shot up 400 percent. “Both these observed changes are considered as the outcome of changes in users’ browsing habits once working from home,” it concluded.

Things haven’t changed since then, noted Ellis. “The uptick we saw as much of the world shifted to working remotely from home has remained consistent in the months since.”

The dangers of WFH “aren’t necessarily structurally different, but instead may represent a shift in the weighting of attacks,” he explained. For example, phishing attacks have always existed, but now “there is more phishing and, at the same time, one of the underrated defenses against phishing — asking your colleague if an email looks weird — is no longer available.”

Further, many antiphishing solutions are reactive, looking for known attack types, rather than adaptively identifying changing attacks, or taking a structural approach by eliminating the ways an adversary might exploit a successful phishing attack, according to Ellis.

Added Threats From Mobile Devices

“Implementing proper security to ensure a secure WFH environment requires an investment that’s expensive and represents new dollars that were never included in any budget up to now,” Matias Katz, CEO of Byos, told TechNewsWorld.

“On top of that, a lot of companies are still in denial and think that this will be over soon; and therefore are reluctant to make an investment.”

WFH is here to stay, Katz said “Companies need to realize that, no matter what, they will have to reinforce their infrastructure to stay secure in the new era.”

Companies are increasingly letting WFH employees use their own mobile devices, and this contributes to the problem.

Nearly 70 percent of the 303 IT professionals who responded to a June survey conducted by cloud security company Bitglass said their companies let employees use personal devices to perform their work, and some said their companies let contractors, partners, customers and supplies bring their own devices.

However, they are not taking the proper steps to protect corporate data — about half the respondents said their organizations have no visibility into file sharing apps, for example. Unauthorized access to data and systems and malware infections were the main security concerns for about half the respondents.

IT Departments Spread Thin

The rapid transition to WFH may have shifted priorities for many businesses, according to Malwarebytes Labs’ Ruiz. “That might mean, first, ensuring that a business could remain successful, and, second, ensuring that it could safely remain successful.”

In other words, make sure first the business remains up and running, then deal with security issues.

A shortage of IT staff might be another cause. Layoffs are widespread because of the pandemic, and some of those laid off might have been IT and cybersecurity security staff.

Another reason could be that, these days, many companies do not have dedicated IT staff onsite, and most remote IT staff are almost always overworked, Ruiz suggested. “There simply may not be time to build and deploy an online training course for all the employees to take.”

The stress on IT workers, whose departments are understaffed and underfunded, has increased with the pandemic, and this might contribute to both the inadequacy of cybersecurity precautions taken and the failure to recognize whether or not those precautions are adequate.

“During this pandemic, security teams are working harder than ever and in isolation,” Point3 Security’s Messdaghi pointed out, adding that C-suite executives should invest in those teams’ mental health.

IT staff were already highly stressed before the pandemic — the impact of stress on mental health doubled in 2020, according to a report from Nominet UK, the .uk domain name registry in the UK.

Nominet interviewed 800 chief information security officers and C-suite executives on the challenges of the CISO’s role. The respondents, evenly divided between the UK and the United States, worked at companies with at least 3,000 employees across a range of public and private sectors.

The report, published in February, said that 88 percent of CISOs remain moderately or tremendously stressed; and 48 percent of the respondents said this affects their mental health — double the number for the previous year. The stress impacts their relationships with partners and children, as well as their ability to execute their role and results in burnout. The average tenure of a CISO is just 26 months.

The C-suite respondents agreed CISOs are working extra hours, but 97 percent of them believe the security team could improve on delivering value for money based on their budget.

Preventing Security Hubris

“A good exercise to demonstrate the full reach of security hubris is to ask yourself, on a scale from 1 to 10, how cybersecure are you?” Ruiz suggested. “Now, ask yourself some other questions:

– Are you connecting to a home router that still uses its default password?

– Are you reusing passwords on some accounts in your home?

– Has your company required the use of a VPN to access company resources?

– Do you click links in emails from new contacts, or do you click links in texts? What about if that link is supposedly from FedEx, and you did, after all, just order something online?”

These type of questions “will chip away at most people’s own security evaluation after a while,” Ruiz said.

“No one is trying to be wrong, but it’s difficult to keep track of all the ways we should be right.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

1 Comment

  • These days cyber threats are at peak. Therefore, it is quite essential to subscribe to a VPN for chrome to protect your browser data through 256-bit AES encryption and access restricted content directly from the browser.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in IT Leadership

Technewsworld Channels