How a recession could hit your cyber defences

The signs are ominous. Growth is slowing and wages stagnating around the world.

Indeed, experts suggest China, much of Europe and sectors of the US economy may already be in a recession. “This debate to some extent is over,” says Jonathan Garner, chief Asia strategist at Morgan Stanley. “We are in some kind of a global recession… the question is, how do we get out of it?”

Most CISOs may have other questions in mind: how bad will the impact on cybersecurity be? And can my organisation ride out the storm?

How the recession could hit cybersecurity in Australia 

All the doom and gloom in the media aside, it’s possible that Australia may not enter a recession at all. The country managed to avoid the worst of the Global Financial Crisis of 2007–8, and federal treasurer Jim Chalmers has said he believes the economy will not “go backward” in the coming months. But that doesn’t mean cybersecurity in Australia will be able to escape the effects of a global downturn

1. international gangs may see their numbers grow as more workers are let go by legitimate enterprises

2. malware, ransomware and state-linked gangs have no respect for national borders, so any country is a potential target

3. employees frustrated by a lack of opportunity may be more susceptible to recruitment from threat actors, or may become insider threats themselves

4. the rise of remote and hybrid work means these insider threats may be harder to monitor

5. reduced profits mean tightened budgets – and cybersecurity teams won’t be immune
    

Insider threats could let intruders in the back door

Employees have always been one of the biggest cybersecurity risks. One Mimecast survey revealed that 80% of respondents believe inadvertent data leaks by careless or negligent employees are putting their company at risk. And a slowdown may prompt some employees to go rogue. Research from firewall specialists Palo Alto suggests that difficult economic times could lure more insiders into cybercrime, and in the last twelve months, threat actors such as LAPSUS$ have increasingly targeted staff, offering cash for credentials via social media – LAPSUS$’s Telegram channel has over 45,000 members.

Thankfully, there are specific ways organisations can defend themselves against internal threats. Users that have been recruited by threat actors often give themselves away via unusual behaviours, such as logging it at unusual times or copying files onto removable storage, that can be detected either by staff or AI tools. Zero-trust and other privilege-based strategies can also prevent threats escalating after their initial incursion.

The threat landscape is challenging enough already

Cybercrime has been on an upswing in recent months. The Australian Cyber Security Centre (ACSC) notes that one cybercrime report was made approximately every eight minutes in 2021, with losses from Business Email Compromise (BEC) incidents rising 50% from the previous year, and ransomware attacks increasing 15%. If that trend continues in the coming months, organisations will have their work cut out – and if the economic downturn fuels more cybercrime across the board, a trend commentators spotted during the last global recession, the effects could be catastrophic.

However, the idea that cybercrime will naturally increase in a recession is disputed by some. Crime in the US actually fell during the Great Depression, while many aspects of internet fraud declined during the UK’s last recession. Both cybercrime and cybersecurity were far less established industries the last time a global downturn hit, and the truth is that no one knows for sure whether the number of incidents will multiply or not.
 

Given the uncertainty, budgets must hold firm 

With doubt surrounding how threats could change over the coming months, it makes sense for organisations to be on their guard. But if already-stretched security budgets are slashed due to economic pressures, holding the fort will be harder than ever.

While security funding could be impacted, the signs seem hopeful. Industry insiders point to the increased prominence of cyber in the boardroom and the feeling that it has stopped being a “should have” and become a “must have” in the last few years. “I do think that cybersecurity spending will be more resilient than other areas,” says Forrester VP and analyst Jeff Pollard. “You've got to spend money on cybersecurity, “because it's going to cost you deals if you don't." That confidence comes in part from rising regulation – if large corporates suffer a breach and are found wanting, they are likely to suffer serious penalties and reputational damage.

If pressure does increase on cybersecurity teams to show the results of their funding, CISOs can make a strong case by:

1. showing board members metrics that speak to their priorities

2. scrutinising and focusing budgets

3. ensuring awareness training is targeted on where it is needed most
    

Cyber resilience is the best way to ride out turbulence

That recession will hit much of the world in the coming months seems a certainty. Its exact effect on cybersecurity in Australia is far harder to predict, partly because economic damage may be limited, but also because there’s little clear evidence that a downturn will lead to an upswing in cybercrime.

The solution? Looking again at your ability to deal with insider threats is probably wise, but the main message is to protect your budgets and concentrate on building a flexible, multi-layered cybersecurity strategy. Security won’t be turned on its head by a global recession – good cyber resilience is the best way to weather an economic downturn.