• United States



Mary K. Pratt
Contributing writer

Economic pressures are increasing cybersecurity risks; a recession would amp them up more

Feb 28, 20238 mins
Business IT AlignmentData and Information SecurityRisk Management

Insider threats and the rate of successful attacks coupled with corporate cost-cutting efforts have historically hurt cybersecurity programs — and would likely do so again.

Predictions on whether or when the global economy will fall into a recession continue to swirl. Even if one doesn’t hit anytime soon, economic volatility, more cautious corporate spending plans, and employee layoffs are already in play. For security chiefs, such news portends a tougher road ahead.

CISOs have never had an easy time — they’ve certainly faced inordinate challenges in recent years working to secure an ever-expanding and more distributed technology and data landscape. At the same time, they’ve had to contend with bad actors who have become more organized, better resourced, and increasingly sophisticated. Yet history has shown that a poor economy can bring on additional challenges and risks, making an already uphill battle even more difficult and security leaders should be bracing for that scenario ahead.

“There are heightened risks and hackers know how to take advantage of that,” says Matt Miller, principal of cybersecurity services at professional services firm KPMG.

Downturns historically see increasing attacks

Some historical statistics give a sense of what could be in store. Law enforcement around the world reported a staggering spike in cybercrimes during the COVID-19 pandemic and the subsequent economic freefall, with INTERPOL Secretary General Jürgen Stock raising the alarm in a 2020 report saying “Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”

Going back further, FBI figures from the start of the Great Recession also show a spike upward as the economy tanked. The FBI’s Internet Crime Complaint Center (IC3) logged 336,655 online crime complaints in 2009, up 22.3% from 2008. With such past trends in mind, some are issuing warnings about what could happen in the future. “Hackers are going to take advantage of any time we have a porous attack surface,” says Karen Worstell, senior cybersecurity strategist and CxO security advisor for VMware.

In a 2022 KPMG report on tech maturity and enterprise uncertainty, Prasad Jayaraman, principal of Cyber Security Services for KPMG in the US, issues an advisory about the increasing risks, saying: “From the Russian invasion of Ukraine to general COVID-19 disruption to widespread economic uncertainty, volatility — and therefore cyber risk and insecurity — has increased at the global level. Organizations have seen an increase in threats from bad actors in rogue states at a scale and complexity that can only happen through state sponsorship.”

Meanwhile, the World Economic Forum’s 2023 global cybersecurity outlook found that 93% of cyber leaders and 86% of business leaders think it is “moderately likely” or “very likely” that global geopolitical instability will lead to a far-reaching, catastrophic cyber event in the next two years. And 80% of business executives responding to a February 2023 report on the cybersecurity workforce during a recession from certification association (ISC)² said they believe a weakening economy will increase cyber threats.

The economy and security risks

Economic volatility creates a confluence of factors that can increase security risks while at the same time negatively impact defenses, according to security experts. “Do more attacks happen during a recession and difficult economic times? The short answer is yes. And the reasons why are complex,” says Sérgio Tenreiro de Magalhães, chair of cybersecurity programs at Champlain College Online.

To start with, organizations themselves may be increasing risks with their responses to economic pressures. Surveys have found CEOs globally are looking to contain costs and reduce discretionary spending which can lead to spending that is flat or failing to keep pace with inflation.

Underfunding a department can have a cascading impact: business unit workers have less time for security training and are more likely to take shortcuts to get work done. Forced to do more with less, IT may stretch the life of legacy systems even longer and require more time to implement critical patches.

Similarly, security teams may have less to invest in new technologies that could speed detection and response (which is already high, a 2022 IBM report on the cost of breaches found that it took organizations on average 207 days to identify a breach and another 70 days to contain it). “You already probably didn’t have enough budget or enough people, so you’re really forcing yourself to do more with less again than you did in years past, and that’s a real challenge,” says Forrester analyst Jeff Pollard.

Layoffs heighten security risks

Risk is typically heightened further by layoffs, and more of those are likely coming to the industry, according to the (ISC)² report, which found that 85% of responding executives believed layoffs will be necessary as the economy slows. “We know that layoffs or job losses are a predictor of insider risks, making it more likely for security events to occur. We have seen over the years that this has happened,” Pollard says.

Pollard and others say layoffs usually increase insider incidents, which already account for 20% of global data breaches, according to Verizon’s 2022 Data Breach Report for several reasons. Laid-off workers — particularly those who work remotely at least part of the time, a number that has jumped significantly — may have corporate data on personal devices. And much of that data will likely remain with them on their devices if they get pink slips. “During the pandemic, data went to a lot of places. So, you’ve got this data distribution, and you have that data on devices you might not control,” Pollard says.

At the same time, laid-off workers may be motivated by anger or their personal financial situations to strike back at their former employers. Even some remaining employees, who saw colleagues dismissed, may be motivated to take action. Furthermore, the damage they can inflict — either on their own or by selling information or access to a hacker group — can be significant, says Pete Nicoletti, field CISO for the Americas at Check Point Software. “If you want to sell out, you’re going to be able to sell out. It used to be hard, now it’s easy. In the past, you could take what you could carry in your briefcase. Today you can carry out terabytes. And if you’re in networking or [another technical role] with active directory access, you can do all kinds of crazy things,” he says.

Attacks are already at an all-time high

These dynamics come on top of an already record-high number of attacks. According to Check Point Research, the “global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization.” It also found that global cyberattacks increased by 38% in 2022, compared to 2021. “If we believe that layoffs and economic downturns increase insider threats, it would seem sensible that we would see an increase in hacker activity, too,” says (ISC)² CEO Clar Rosso.

Despite expectations of heightened risk should the economy sputter, Rosso points to some hopeful signs for CISOs. She notes that the (ISC)² study of C-suite business leaders showed that executives aren’t inclined to cut cybersecurity staff. The study found that only “10% of respondents foresee reductions in cybersecurity teams, compared to an average of 20% in other areas.”

The study further found that “once staff reductions are complete and organizations get ready to rehire personnel, cybersecurity workers are at the top of the list for re-investment.” However, CISOs shouldn’t rely on such encouraging reports to navigate the current economic uncertainty or any future economic volatility. Worstell says CISOs should instead double down on security strategy fundamentals: strengthen detection and response programs as well as patching programs, increasing training and awareness efforts, and shedding technical debt.

“The difference between good security and outstanding security is ‘done’ and ‘done done,’ meaning it is tested and validated and proved. It means we have the evidence of it being done. It’s the difference between kind of locked down and proving it’s locked down,” Worstell explains.

Prioritize based on current risk

From there, she advises CISOs to ensure they’re prioritizing based on the organization’s current risks, updating the security strategy based on any changes that the enterprise has to make in response to the economy. And focus on account management and access control, ensuring appropriate levels of access and that access exists only for current authorized employees.

Security leaders say CISOs should also lean into the high level of support for cybersecurity that the (ISC)² report indicates, by being ready to communicate the value that security delivers and devising security strategies that enable both the organization’s overall agenda as well as the plans devised by individual departments.

“That ability to communicate well,” Rosso adds, “will go really far in helping preserve the resources needed during an economic downturn.”