Cybercriminals Are Winning: Even Security Professionals Admit to Paying Ransom and Bypassing Corporate Security

Bromium research finds humans continue to be the biggest threat to cyber security

CUPERTINO, CA--(Marketwired - May 09, 2017) - Bromium®, Inc., the pioneer and leader in virtualization-based enterprise security that stops advanced malware attacks, today released new research conducted at the RSA Conference (RSAC) 2017 that found security professionals admit to knowingly circumventing security protocols and hiding discovered breaches. The survey findings were so surprising that Bromium surveyed a subsequent group of security professionals in the U.S. and U.K. and the results were consistent.

Here's what the survey found:

  • On average, 10 percent of security professionals admitted to paying a ransom or hiding a breach without alerting their team (5 percent at RSA, 15 percent in extended study). For context, there were 638 million ransomware attacks in 2016, suggesting that tens of millions of these attacks are potentially not being disclosed.
  • On average, 35 percent of security professionals admitted to going around, turning off or bypassing their corporate security settings (38 percent at RSA, 32 percent in extended study of U.S. and U.K. security professionals).

"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," said Simon Crosby, co-founder and CTO of Bromium. "Security professionals go to great lengths to protect their companies, but to learn that their decisions don't protect the business is frankly rather shocking. To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human-factor in cyber security. It's one reason we pursued virtualization-based security: it takes the burden off the end-user and ensures IT and security teams protect their business assets and data."

When it comes to cyber security, there are really two ways to make it happen: top down with typically strict limits on end-user behavior or, distributed control with more end-user involvement. In the first case, employees are limited in what they can do which can hinder business innovation. In the latter case, employees can choose to turn off security and put the business at tremendous risk. Either way, it's a lose-lose situation when considered through the enterprise security lens.

"With application isolation and hardware-enforced containment, I don't have to worry about what people click on. They are free to click on anything because applications, files and web browsing sessions are isolated and therefore protected. And when they're done with the task, if they were exposed to malware or ransomware, it goes away and they go about their day," explains Paul Hershberger, Director, IT Global Security and Compliance, Risk and Compliance at The Mosaic Company.

View the infographic about the study and find out more about Bromium Secure Platform.


The Bromium survey had a sample of 210 security professionals. Fieldwork was conducted through an online survey at RSAC 2017 in February 2017 with 110 respondents as well as with additional security professionals in the U.S. and U.K. in March 2017 with 100 respondents.

About Bromium, Inc.

Bromium converts an enterprise's largest liability, endpoints and servers, into its best defense. Our patented hardware-enforced containerization is combined with a distributed machine learning Sensor Network to protect across all major threat vectors and attack types. Bromium automatically learns and adapts to new attacks and instantly shares threat intelligence to eliminate the impact of malware. Learn more at

Image Available:

Contact Information:

Clinton Karr
Sr. PR Manager
O 408.514.5962

Infographic: Security Professionals Are Bypassing Security