Bromium, Inc., Cupertino, Calif., released new research that found security professionals admit to knowingly circumventing security protocols and hiding discovered breaches. Bromium surveyed a subsequent group of security professionals in the United States and UK.

Results include:

• On average, 10% of security professionals admitted to paying a ransom or hiding a breach without alerting their team. For context, there were 638 million ransomware attacks in 2016, suggesting that tens of millions of these attacks are potentially not being disclosed.
• On average, 35% of security professionals admitted to going around, turning off or bypassing their corporate security settings.

“While we expect employees to find workarounds to corporate security, we don’t expect it from the very people overseeing the operation,” says Simon Crosby, co-founder and CTO. “Security professionals go to great lengths to protect their companies, but to learn that their decisions don’t protect the business is frankly rather shocking. To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security. It’s one reason we pursued virtualization-based security; it takes the burden off the end-user and ensures IT and security teams protect their business assets and data.”

When it comes to cyber security, there are really two ways to make it happen—top down with strict limits on end-user behavior, or distributed control with more end-user involvement. In the first case, employees are limited in what they can do, which can hinder business innovation. In the latter case, employees can choose to turn off security and put the business at tremendous risk. Either way, it’s a lose-lose situation.

The Bromium survey included a sample of 210 security professionals. Fieldwork was conducted through an online survey in February with 110 respondents as well as with additional security professionals in the United States and UK in March with 100 respondents.