Nearly half of UK security professionals polled (46.3%) said it is easy to get into cyber crime without getting caught, according to the study report commissioned by security firm Malwarebytes, which also polled security professionals in the US, Germany, Australia and Singapore.
The main reasons security professionals go into black hat activity include the opportunity to earn more money than security professionals (53.7%), the challenge that it offers (53.1%), retaliation against an employer (39.3%), and philosophical reasons or some sort of cause (31.4%).
Another factor is that black hat activity is not perceived as being wrong by all security professionals, with 29.7% of those polled in the UK expressing this view.
In addition, some security professionals get involved in projects without necessarily being aware of the true nature of what they are working on or the impact it will have, according to Computer Weekly sources. The UK is also popular with black hat recruiters because of the good reputation of UK cyber security professionals.
The survey revealed that 40% of those polled in the UK are acquainted with someone who has participated in black hat activity, 32% admitted to being approached about participating in black hat activity and 20.6% have considered participating in black hat activity.
Respondents in the UK believe that 7.9% of their security colleagues are grey hats, well above the global average of 4.6% and most closely followed by the US (5.1%). The remaining countries were equal at 3.4%.
Underlining the financial incentives for moving towards becoming a grey hat, the survey shows the average starting salary for an entry-level security professional in the UK is the lowest among the five countries surveyed. However, the maximum security salary is nearly 3.5 times greater than the entry-level salary.
“The current skills shortage combined with a steady stream of attacks against antiquated endpoint protection methods continues to drive up costs for today’s businesses, with a seemingly larger hit to security departments of mid-market enterprises,” said Marcin Kleczynski, Malwarebytes CEO.
“On top of this, we are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation,” he said.
According to Kleczynski, company leaders need to be made aware of the need for proper security financing to keep security technology up to date and to hire and reward the best and brightest security professionals.
“The report uncovers the current state of cyber criminal costs and the motivations of cyber security professionals moving to the dark side,” he said.
Cyber crime cost
The study also shows that the cost to business of cyber crime continues to rise, with organisations in the UK experiencing the highest rate of a wide range of attacks in the past 12 months.
Just over 971% of UK respondents said their organisation had fallen victim to a significant security threat, well above the global average of 72.6%,with the cost of remediation of a major security breach for a mid-sized organisation reported to be £188,000 on average when the overall security budget is just £200,000.
The survey shows that UK security budgets are expected to increase in 2018 to £220,000, but this increase of just 10% makes the UK one of the lowest countries for security budget growth, and as a result, around 17% of the budget is consumed by remediation activities alone.
The survey also shows that the UK has the highest proportion of insider threat costs of the countries surveyed. At £520,374 a year, insider threat costs exceed both on-budget costs (£199,642) an costs of major events (£101,164).
However, in all countries surveyed, insider threat costs are greater than major event costs, except for the US, where major events are the biggest cost (£572,847), compared with on-budget costs of £525,985 and insider threat costs of £332,571.