Companies are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to bury their heads in the sand and ignore security vulnerabilities, they risk doing greater damage their brand if they get hacked.
Analysis from cybersecurity and bug bounty firm HackerOne suggests that almost two-thirds of organizations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will go undetected or simply not cause of problems.
But by choosing to ignore vulnerabilities, organizations open themselves up to cyberattacks and other security issues.
TO SEE: Cybersecurity: let’s get tactical (ZDNet special report)
Unpatched security vulnerabilities are one of the most common weaknesses exploited by cybercriminals to successfully hack networks and software. Even patches for critical vulnerabilities go unapplied by many, sometimes for years, giving hackers easy access until updates are rolled out.
Many organizations don’t take security seriously because boards see it as a barrier – according to research, two-thirds of security professionals have been told that supporting cybersecurity is seen as a brake on innovation.
However, if employees are unaware of cybersecurity risks and do not have appropriate measures in place to maintain security, they risk circumventing cybersecurity best practices.
For example, if employees believe that having to log into corporate software suites and use approved collaboration tools is less efficient and time-consuming than using a personal email address to share sensitive information, they might inadvertently expose sensitive data.
Nearly two-thirds of cybersecurity professionals surveyed say their organization suffered a security breach as a result of staff not following cybersecurity measures, while only a quarter said they were very confident that staff followed cybersecurity best practices.
The report also warns that developers are often pressured to release insecure products, which puts organizations using potentially vulnerable software at risk of being compromised.
According to HackerOne, it’s vital for organizations to commit to more transparency around cybersecurity. “Security could be the difference between winning business and losing it,” HackerOne CEO Marten Mickos told ZDNet.
Even if organizations fall victim to a cyberattack, transparency about what happened can help improve a company’s reputation. Mickos cites Norsk Hydro, which suffered a ransomware attack and was transparent about the entire recovery process as an example of this situation.
“The organization has taken responsibility for ensuring frequent and candid communications with customers and the general public, keeping everyone informed as events unfold,” he said.
“Not only did Norsk Hydro maintain customer trust by being transparent about what was going on, but the organization also had the power to expose key information about the tactics cybercriminals used, which is beneficial for all industry and other organizations facing increasing cyber risks,” Mickos added.