There’s no mistake, we’re in a recessionary cycle. We can stay out of the politics and debate related to predicting the exact cause, effect, size, and timeline of the recession. Debate or no debate, we’re already seeing businesses fall back to a more conservative approach to spending across the board. I know businesses and consumers are concerned because one of the top questions asked over the past few months is “How do you think the recession will impact cybersecurity?”

Of course, the answer is relevant to the individual asking the question. If the question comes in from a cybersecurity student or someone breaking into the cybersecurity workforce, the answer is different than if it comes in from a business leader. For this discussion, let’s stay focused on business leadership and those building out cybersecurity strategies.

To help with the answer, I posed the question to a colleague at the Fox Rothschild law firm. I reached out to Mark McCreary who specializes in cybersecurity law and is the firm’s Co-Chair of the Privacy & Data Security Practice. Mark hit on six key concerns:

• Budgets will contract for information security product/solution purchases and upgrades
• Hiring will slow or stop; attrition will not be replaced
• Employees become more of an insider threat; already seeing Dark Web offerings for credentials and data theft
• Criminal activity, including as-a-service attacks, will escalate
• Nation state activity will likely increase
• Innovation will slow as security vendors lose funds/investments for research and development, some even going out of business or never coming to market

Based on my experience in cybersecurity through the last recession, I believe Mark is spot on. Let’s take a moment to dive into each of these key bullets.

Cuts in IT/IS Spending.

We’re already seeing companies moving to a more conservative spending posture in preparation for continued economic downturn. For many companies, cybersecurity is viewed as a line-item expense, often lumped into, or attached to, their overall information technology budget. During the 2007-2009 recession, companies cut traditional cybersecurity spending related to tasks such as scheduled network layer technology refreshes, and new solution acquisition. Due to the speed of cyber threat development and sophistication, if this action is repeated in 2023, the consequences will be costly. When technology (both hardware and software) isn’t refreshed, it’s being pushed past its operational limitations or is outside of end-of-life and support parameters. Simply put, performance will degrade, and the technology will not provide the security needed. It will operate, but the risk will grow as it ages.

As it relates to new technologies. A cut in spending will have a dual effect. The first is companies won’t be able to leverage the newest technologies designed specifically to address the newest threat techniques. The second effect is many new technologies will never survive long enough to make an impact.

Reduction in Hiring.

Currently, there is a very large gap in cybersecurity between the open job postings and qualified candidates to fill those openings. One could argue recession-based hiring freezes would allow the talent pool to catch-up to the hiring demand. In a simple one-to-one cause and effect theory, that would be the case. Unfortunately, the demand for cybersecurity talent is elevated due to the threats, complexity, and opportunity. All of which will increase if we put a pause on our hiring strategies. Add to that, when we cut our training programs, the challenge will only grow. Right now, we’re struggling to find and train the staff necessary to protect our businesses from today’s cyber threats. Now add to it, an opportunistic escalation of activity by bad actors who know where you’ve cut spending…staff and training.

The Insider Threat.

According to the recent Verizon 2022 Data Breach Investigations report, 82% of breaches involved the human element. Zero trust frameworks, better awareness training, and other cybersecurity solutions have begun to have a positive impact on the insider threat. But remember that recessions result in budget freezes, and we’ve established that companies are already evaluating their 2023 cybersecurity spend. It’s important to accept that an economic crisis not only puts pressure on corporate budgets, but it also affects all of us, personally. That economic pressure will push ordinary, law abiding, loyal people to do things they wouldn’t normally consider. Imagine you’re a father of four. Your wife was just laid off as a result of spending cuts and you’ve just heard that you may be next. At that moment you’re contacted by a bad actor who offers you $25,000 (could be $30k, $50k, etc… What is the magic number?) to give them credentialed access for 24 hours. What would you do? What is your price? You may not have a price, but it’s easy to say when you’re not facing the loss of your house, car, savings, etc…

According to a recent article on CyberTalk.org (For $4M, hackers buy access to corporate networks; possibly yours – CyberTalk), in Q3 of 2022, the credentialed access broker market accounted for 576 initial access offerings, totaling more than $4 million in retail value (an increase of almost 6 times over Q2 of 2022). The average listed price was $2,800 per credentialed access point. Remember, the bad actor or credentialed access broker will sell an access point multiple times, and that is usually after the initial bad actor exploited the access.

In addition to manipulation of the human element within your environment, many companies already have a bad actor operating within their network. In some cases, that entity is actively funneling valuable data/activities out without any corporate awareness, or they’re selling the access point to other bad actors. In other cases, they’re sitting dormant, just waiting for the “right time” to activate. Most of the time, those bad actors are bots or software (malware) navigating your network in an automated manner, searching for the most opportunistic moment.

Cybercrime-as-a-Service.

Cybercrime is a business often sponsored by nation states, and during economic change, business is very good. Like traditional criminal activities, economic hardship is a fertile ground to be exploited. Unlike traditional criminal activity, cyber criminals are largely faceless. They largely operate behind a veil of cyber-anonymity. They often utilize the same tools and techniques to break legitimate business that is used to protect legitimate business. Software-as-a-service (SaaS), machine learning (ML), artificial intelligence (AI), and other innovations are utilized by today’s bad actors. After all, cybercrime is business, and their one job is to break your business. Cybercrime is their widget. Where legitimate business invests in innovation around their widget. Cybercrime Inc. invests in innovation around their product, cybercrime. In many cases, their innovation budgets rival the best legitimate corporate innovation spend.

If you feel you’re too small to be hacked, think again. Much of the “hacking” is done leveraging automated tools. This means you’re not too small, they just haven’t gotten to you YET.

Nation State Activity.

This is nothing new. As the war in Ukraine has exemplified, nation state sponsored cyber-attacks increase directly related to moments of aggression or weakness. In the event of an economic recession any weaknesses will be exploited by nations who seek to further destabilize economic and operational infrastructures. The private sector will see an increase in nation state sponsored attacks as the private sector is the lifeblood of the federal economic engine. This is a foundational warfare strategy. If you destabilize the private sector (people and business), the government will fall.

Innovation, Research, and Development.

In short, recessions tend to slow the investment engine that drives innovation. This is an economic circle. When companies are forced to do more with less due to financial challenges, they typically don’t spend money “experimenting” with new solutions. If the adoption of new solutions slows, investors stop investing in new solution development. Without the funding of new ideas, those ideas never become new solutions. A slowing in cybersecurity innovation will result in more aggressive threat activity. Given that the threat actor’s business is to break your business, recession will bolster their resolve to increase profits through exploiting the gaps vacated by new solution development, and implementation.

Last word: Staying ahead of the BOOM.

Being protected from a cyber-attack and staying ahead of the BOOM – the BOOM being an active cyber event/incident/breach – is the goal. With cybersecurity is no longer being a siloed approach, every business decision we make exposes us to cyber risk. And it’s inevitable: Recession-related cuts in cybersecurity spending means we’ll be forced to do more with less. We’re going to have to bet more on those things that keep us well ahead of the BOOM and not focus on the luxury statements we make when our economy is strong – “I’m not important enough to be at risk,” “it hasn’t happened to me,” and “I’m in compliance.”

This article is co-authored by Chad F. Walter, CRO at Paperclip Inc.

[View source.]