It’s time to stop hoping that cybersecurity problems will just go away

Businesses are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to hide their heads in the sand and ignore security vulnerabilities, they risking more significant damage to their brand if they do get hacked.

Analysis by cybersecurity and bug bounty company HackerOne suggests that almost two-thirds of organisations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will remain undetected or simply won’t causes issues. 

But by choosing to ignore vulnerabilities, organisations are leaving themselves open to cyberattacks and other security issues.

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

Unpatched security vulnerabilities are one of the most common weaknesses exploited by cyber criminals to successfully hack networks and software. Even patches for critical vulnerabilities are not applied by many, sometimes for years, giving hackers an easy way in for as long as the updates haven’t been rolled out.

Many organisations aren’t taking security seriously because boardrooms view it as a hindrance – according to the research, two-thirds of security professionals have been told that taking care of cybersecurity is viewed as stifling to innovation. 

However, if employees aren’t aware of cybersecurity risks and don’t have appropriate measures put in place to maintain security, there’s the risk they could circumvent best cybersecurity practices.

For example, if employees think that having to log in to enterprise software suites and use the approved collaboration tools is less effective and more time consuming than using a personal email address for sharing sensitive information, they could inadvertently expose sensitive data.

Almost two-thirds of cybersecurity professionals surveyed say that their organisation has suffered a security breach as a result of staff side-stepping cybersecurity measures, while just a quarter said they’re very confident that staff are following cybersecurity best practices. 

The report also warns that developers are often pressured to release insecure products, putting organisations that use potentially vulnerable software at risk of being compromised. 

According to HackerOne, it’s vital for organisations to commit to more transparency around cybersecurity. “Security could be the difference between winning business and losing it,” Marten Mickos, CEO of HackerOne, told ZDNet. 

Even if organisations do fall victim to a cyberattack, being transparent about what happened can help improve the reputation of the company. Mickos cites Norsk Hydro, which fell victim to a ransomware attack and was transparent about the entire recovery process as an example of this situation. 

“The organisation took the responsibility to ensure frequent and candid communications with customers and the wider public, to keep everyone updated on how events were unfolding,” he said. 

“Not only did Norsk Hydro maintain customer trust by being transparent about what was happening, the organisation also had the power of exposing key information on the tactics being used by cyber criminals, which is beneficial to the wider industry and other organisations facing growing cyber risks,” Mickos added. 

MORE ON CYBERSECURITY

• Bosses are reluctant to spend money on cybersecurity. Then they get hacked
• Want to boost your cybersecurity? Here are 10 steps to improve your defences now
• Cybersecurity: Many managers just don’t want to understand the risks
• Bosses think that security is taken care of: CISOs aren’t so sure
• Cybersecurity jobs: This is what we’re getting wrong when hiring – and here’s how to fix it