Most Orgs Would Take Security Bugs Over Ethical Hacking Help

A new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways.

Enterprises are putting greater stock in cybersecurity, but outdated “security by obscurity” is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.

That’s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they “want to be seen as infallible.” However, just as many – 64 percent – said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.

Struggling with Security Awareness

When it comes to what’s actually happening on the ground inside organizations, 57 percent of respondents in the report – “The Corporate Security Trap: Shifting Security Culture from Secrecy to Transparency” – said that they struggle to create a culture of cybersecurity, and only 26 percent are “very confident” that staff are following security practices.

Worse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.

Infosec Insiders Newsletter

And that’s translating to trouble: About 63 percent said they’ve had a security breach as a result of staff sidestepping security measures.

Some of the issues come from the top: Only 29 percent of boards are “deeply involved” in cybersecurity strategy; and 65 percent said that the idea that security slows innovation is telegraphed to them.

Meanwhile, 63 percent of organizations said that they believe that cybersecurity is “as important as cost when choosing a supplier,” and 62 percent of organizations “would take their business elsewhere if a supplier suffered a data breach.”

The Problem with Secrecy

Thus, perhaps it’s no wonder that 38percent of respondents agreed that their organizations “aren’t open about their cybersecurity practices.”

But according to the authors of the report, this kind of approach is harmful, because “by not admitting weaknesses and asking for help fixing them, organizations risk far more significant damage to their brand should a vulnerability be exploited.”

“Sunshine is the best medicine,” wrote HackerOne CTO and co-founder Alex Rice, in the report. “Shining a light on the work to be done is the only way to win. We must stop asking security teams to toil away in obscurity.”

The report suggested a few general changes organizations can make, like reporting breaches to stakeholders and publishing reports outlining security  measures that companies have in place. Another practical fix to a closed security culture would be putting into place Vulnerability Disclosure Policies (VDPs), bug-bounty programs and regular pentests that get third-party researchers involved.

However, third-party vulnerability reporting comes with its own complications.

The Controversy Around Bug Bounties

Major corporations like Google and Intel pay out thousands of dollars at a time – even millions of dollars every year – in bug-bounty programs. With the financial incentive to do so, outside researchers and friendly hackers help companies find zero-day vulnerabilities early, before the bad guys do.

However, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny. A full 67 percent of respondents said that they “would rather accept software vulnerabilities than work with hackers.”

And the hesitancy goes both ways. Ethical hackers are often dissuaded from reporting vulnerabilities to vendors, because they’re so often ignored or outright attacked for doing so. In October, for example, the governor of Missouri launched a criminal investigation against a journalist who reported that the state’s website was exposing hundreds of thousands of social security numbers on the web.

It’s no surprise, then, that 50 percent of hackers “have not disclosed a bug because of a previous negative experience or lack of channels through which to report,” according to the report.

What Organizations Can Do

To establish trust and openness in corporate cybersecurity, HackerOne suggested four core tenets for corporate security responsibility. They are:

  • Encouraging industry-wide transparency to build trust and share intelligence;
  • Fostering a culture of industry-wide collaboration that gives everyone the tools to take control of reducing cyber-risk;
  • Promoting innovation by inspiring development teams to build with security in mind and bring secure products to market faster;
  • And holding oneself and suppliers accountable to following best practices to develop security as an easy point of differentiation.

The stakes are high: About 53 percent of survey respondents admitted that “they have lost customers as a result of a security breach.” Bottom line? The sooner organizations evolve to be more open and collaborative about security, the better off they – and the rest of us, by extension – will be.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.


Suggested articles