Hackers are often hired by companies to “break in” into their systems to expose where weaknesses lie in their security, in an effort to patch these up before someone with malicious intent does the same thing.

But even when faced with a list of vulnerabilities, three quarters of companies will patch up only the absolutely critical risks and leave everything else as is.

And therein lies the biggest frustration of hackers, professionally known as penetration testers (‘pentesters’, for short), and often referred to as ‘security consultants’.

By far, the number one pet peeve of hackers (64%) is that even when companies are handed a list of things that are broken following a penetration test, they do not fix them.

The findings of ‘The Black Report: Decoding the Minds of Hackers’, produced by Australian software company Nuix, come from interviewing 70 hackers about their habits and motivations.

The report found just 10% of companies remedied all vulnerabilities discovered in a penetration test and subsequently retested to ensure highest levels of cybersecurity.

Disturbingly, hackers reported 5% of companies did nothing at all after penetration testing – “they were just checking boxes.”

In and out

The speed at which hackers can enter and exit IT systems without being detected is breathtaking. Almost half (49%) said they can be in and out with targeted data in 6 hours or less, and 33% said their presence is never detected by the company’s security team.

“In the first 24 hours of an attack, it is more likely an attacker will compromise your systems, find and exfiltrate your sensitive data, and leave you none the wiser that they were ever there,” stated the report.

Hackers have access to easily available tools to break into systems, with 60% claiming they use open source tools. “While pentesting and hacking require a lot of knowledge and specific skills, acquiring the tools is not a barrier to entry – anyone can get them and learn on their own how to use them.” 

Additionally, the report found 63% of hackers are educated to at least college level, and 66% said their main motivation for hacking was because they enjoyed the challenge.

Only 9% said it was about the money.