The Impact of Recession on Cyber Security Programs – Beware of the Trap Game. | Fox Rothschild LLP
There is no mistake, we are in a recessionary cycle. We can stay out of the politics and debate associated with predicting the exact cause, impact, size and timeline of the recession. Debate or no debate, we’re already seeing companies fall back to a more conservative approach to spending across the board. I know businesses and consumers are concerned because one of the most common questions asked in recent months is “How do you think the recession will affect cybersecurity?”
The answer is of course relevant to the individual who asks the question. If the question comes from a cybersecurity student or someone breaking into the cybersecurity workforce, the answer is different than if it comes from a business executive. For this discussion, let’s keep the focus on corporate leadership and those building cybersecurity strategies.
To help with the answer, I put the question to a colleague at the Fox Rothschild law firm. I reached out to Mark McCreary who specializes in cybersecurity law and is co-chair of the firm’s privacy and data security practice. Mark hit on six key concerns:
- Budgets will contract for the purchase of information security products/solutions and upgrades
- Employment will slow or stop; wear and tear will not be replaced
- Employees become more of an insider threat; already seeing Dark Web offers for credentials and data theft
- Criminal activity, including as-a-service attacks, will escalate
- The national state’s activity will probably increase
- Innovation will slow as security vendors lose funding/investment for R&D, some even go out of business or never come to market
Based on my experience in cyber security through the last recession, I think Mark is perfect. Let’s take a moment to dive into each of these key bullet points.
Cuts in IT/IS consumption.
We are already seeing companies move to a more conservative spending position in preparation for continued economic decline. For many companies, cybersecurity is viewed as a line item expense, often lumped into or tied to their overall information technology budget. During the 2007-2009 recession, companies cut traditional cybersecurity spending related to tasks such as planned network-layer technology updates and acquisition of new solutions. Due to the speed of development and sophistication of cyber threats, if this action is repeated in 2023, the consequences will be costly. When the technology (both hardware and software) is not updated, it is pushed past its operational limitations or is beyond its end of life and support parameters. Simply put, performance will degrade and the technology will not provide the necessary security. It will work, but the risk will grow as it ages.
When it comes to new technology. A cut in spending will have a double effect. The first is that companies will not be able to leverage the latest technologies designed specifically to deal with the latest threat techniques. The other effect is that many new technologies will never survive long enough to have an impact.
Reduction in employment.
Currently, there is a very large gap in cybersecurity between the open job postings and qualified candidates to fill those openings. One could argue recession-based hiring freezes would allow the talent pool to catch up with hiring needs. In a simple one-to-one cause and effect theory, that would be the case. Unfortunately, the demand for cybersecurity talent is elevated due to the threats, complexity, and opportunities. All of this will increase if we pause our hiring strategies. Add to that, as we cut our training programs, the challenge will only grow. Right now, we are struggling to find and train the staff needed to protect our businesses from today’s cyber threats. Now add an opportunistic escalation of activity from bad actors who know where you’ve cut spending…employees and training.
The insider threat.
According to the recent Verizon 2022 Data Breach Investigations report, 82% of breaches involved the human element. Zero trust frameworks, better awareness training and other cyber security solutions have started to have a positive impact on the insider threat. But remember that recessions result in budget freezes, and we’ve established that companies are already evaluating 2023 spending on cybersecurity. It is important to accept that an economic crisis not only puts pressure on company budgets, but that it also affects us all personally. The economic pressure will push ordinary, law-abiding, loyal people to do things they would not normally consider. Imagine you are a father of four. Your wife was just laid off as a result of spending cuts, and you’ve just heard that you might be next. At that moment you are contacted by a bad actor who offers you $25,000 (could be $30k, $50k, etc… What’s the magic number?) to give them credentials for 24 hours. What would you do? What is your price? You may not have a price, but it’s easy to say when you’re not facing the loss of your house, car, savings, etc…
According to a recent article on CyberTalk.org (For $4 million, hackers buy access to corporate networks; possibly yours – CyberTalk), in the third quarter of 2022, the market for accredited access brokers accounted for 576 initial access offers, totaling more than $4 million in retail value (an increase of almost 6 times compared to the second quarter of 2022). The average list price was $2,800 per authenticated access point. Remember that the bad actor or credentialed access broker will sell an access point multiple times, usually after the first bad actor has exploited the access.
In addition to manipulating the human element in your environment, many companies already have a bad actor operating in their network. In some cases, this entity actively exploits valuable data/activities without any corporate awareness, or they sell the access point to other bad actors. In other cases, they are dormant and just waiting for the “right time” to be activated. Most of the time, the bad actors are bots or software (malware) that navigate your network in an automated fashion, searching for the most opportunistic moment.
Cybercrime is a business often sponsored by nation-states, and during economic changes the business is very good. As with traditional criminal activities, economic hardship is a fertile ground for exploitation. Unlike traditional criminal activity, cybercriminals are largely faceless. They operate largely behind a veil of cyber anonymity. They often use the same tools and techniques to breach legitimate business that are used to protect legitimate business. Software-as-a-service (SaaS), machine learning (ML), artificial intelligence (AI) and other innovations are being used by today’s bad actors. After all, cybercrime is business and their only job is to destroy your business. Cybercrime is their widget. How legitimate businesses invest in innovation around their widget. Cybercrime Inc. invests in innovation around their product, cybercrime. In many cases, their innovation budgets rival the best legitimate enterprise innovation costs.
If you feel like you’re too small to be hacked, think again. Much of the “hacking” is done by utilizing automated tools. This means you’re not too small, they just haven’t gotten to you YET.
National state activity.
This is nothing new. As the war in Ukraine has exemplified, nation-state-sponsored cyberattacks increase directly related to moments of aggression or weakness. In the event of an economic recession, any weaknesses will be exploited by nations seeking to further destabilize economic and operational infrastructure. The private sector will see an increase in nation-state sponsored attacks as the private sector is the lifeblood of the federal economic engine. This is a basic warfare strategy. If you destabilize the private sector (people and business), the government will fall.
Innovation, research and development.
In short, recessions tend to slow down the investment engine that drives innovation. This is an economic circle. When companies are forced to do more with less due to financial challenges, they usually do not spend money to “experiment” with new solutions. If the adoption of new solutions slows down, investors stop investing in the development of new solutions. Without funding new ideas, these ideas never become new solutions. A decline in cybersecurity innovation will result in more aggressive threat activity. Given that the threat actor’s business is to break your business, recession will strengthen their will to increase profits by exploiting the gaps freed up by new solution development and implementation.
Last word: stay ahead of the BOOM.
Being protected against a cyber attack and staying ahead of BOOM – BOOM is an active cyber incident/incident/intrusion – is the goal. Since cyber security is no longer an approach, every business decision we make exposes us to cyber risk. And it’s inevitable: Recession-related cuts in cybersecurity spending mean we’re being forced to do more with less. We need to focus more on the things that keep us well ahead of the BOOM and not focus on the luxury statements we make when our economy is strong – “I’m not important enough to be in danger”, “it hasn’t happened to me” and ” I am in compliance.”
This article was co-authored by Chad F. Walter, CRO at Paperclip Inc.