Close to 40% of security professionals either know, or have known, a legitimate security practitioner who has participated at some point in black hat activities.
A recent study on the cost of cybercrime to organizations delved into growing concerns about the gray hat hacker -- a security professional who participates in black hat activities. Researchers found that 12% of the security professionals surveyed have considered black hat activities, and 22% have been approached about taking part in them. In some cases, legitimate security professionals have shifted completely to the "dark side" and become black hat hackers.
Osterman Research Inc. surveyed 900 security professionals in five countries -- the United States, the United Kingdom, Germany, Australia and Singapore -- during May and June of this year. The security professionals surveyed worked for organizations in a range of industries, including financial services/insurance, 10%; manufacturing, 10%; retail, 9%; technology, 9%; and healthcare, 9%. The perceived percentage of gray hat hackers increased with the size of the organization, from 2.8% of IT security professionals at small businesses to 4.2% for midsize companies and 5.7% at large entities. "Midsize organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be greatest," according to researchers. Survey data indicated that midmarket companies faced roughly the same level of major security events in 2017 as larger enterprises, 0.9 and 1.0, but lacked the security infrastructure found at big organizations.
Unfortunately, the research showed that black hat activity among security professionals is not uncommon. According to the survey, 41% of security professionals either know or have known a legitimate security practitioner who is a gray hat hacker or who has participated in black hat activities. About half of the survey respondents in the United States (51%) admitted some awareness of a colleague who was a gray hat hacker, compared to 26% in Germany. The top reason for this shift: Black hats are perceived to earn more money than security professionals, according to 63% of those surveyed.
However, financial gain is not the only reason, the researchers noted. While 47% of survey respondents agreed that "it's easy to get into cybercrime without getting caught," half believed that gray hat hackers are drawn to black hat activities based on "the challenges that it offers." Moreover, 11% of organizations globally have hired a black hat hacker for consulting purposes.
The global report, "White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime," based on surveys conducted by Osterman Research, and sponsored by Malwarebytes, can be found here.