With the economy on the edge of recession, businesses and governments are looking for ways to reduce costs – and cybersecurity budgets are often among the first to be cut.
Although the high-profile cyber incidents of recent months, including breaches at the Royal Mail, the Guardian newspaper and Denmark’s central bank, cannot explicitly be linked to the struggling economy, it is clear companies of all sizes are increasingly exposed to cyber attacks.
While cutting costs is understandable in an economic downturn, organizations that reduce their cybersecurity spending leave themselves vulnerable to even the most unsophisticated threats, including extortion via ransomware attacks.
This has been a common theme in recent recessions, with cyber criminals seizing the opportunity to exploit vulnerabilities, but the risk of a breach in the downturn we are going through at present is higher because of the Covid-led remote working revolution. It means employees are more exposed than ever to cyber threats.
Almost half of UK adults worked from home at some point during the Covid-19 pandemic, according to the Office for National Statistics. While that percentage has gradually fallen as the economy has reopened over the past 18 months, a significant number of workers are taking a hybrid approach, with a mix of working from home and in the office. The ONS data shows that 38% of working adults reported having worked from home at some point over the past seven days.
Cyber budgets are under threat
The problem with this trend for cyber security teams is that some of the defenses put in place when Covid began were hastily deployed to ensure continuity with the rapid move to home working. Those defenses have in many cases failed to evolve to keep pace with the cyber criminals. This is doubly dangerous during an economic downturn, when cyber budgets are under threat.
When the pandemic hit and everyone was sent home, policies of all kinds had to be adapted so employees could continue to work and get access to secure systems and devices. In many cases, corners were cut to boost productivity. For example, many organizations removed certain types of VPN because they didn’t have enough capacity to enable secure remote access, thereby removing some of those security layers in favor of increased output.
Today, with millions still working from home for at least some part of the week, those policies that put productivity above security have in many cases yet to be updated. Cyber security professionals need to have a greater focus on the issue of mobility and how we enable the same level of protection that we had in centralized workspaces, but with a hybrid working model and the multitude of devices and geographies that come with it.
That process is made even more difficult by the prospect of a recession in the UK and sluggish growth across other major world economies. According to the International Monetary Fund, Britain's economy will shrink by 0.5% in 2023, while Germany’s will not grow at all.
Steve Forbes is Head of Cyber Product at Nominet.
Putting safeguards in place
Normally, investing in new technology and new security helps businesses to stay ahead of the cyber threat – but this is harder when companies are struggling in a recession. This means there will be more relatively unsophisticated attacks that could have been prevented with more investment. There’s only so long you can live with exposure before your vulnerabilities are exploited and companies of all sizes are suffering breaches that they could have done something about. In many cases, the attacks will be low-level and blatant – issues that should have been patched and could have been dealt with.
Why do executives and cyber teams not learn the lesson and bolster their defenses during a downturn? The reality is that it is a conscious decision about the economic survival of the company being more important. If you invest heavily in security, but the company goes bankrupt then there is no point. It is taking a risk, but it’s a risk many feel they have to take for survival. There is also an element of cyber crime becoming normalized. We think it will happen however much we prepare for it.
Whatever happens, it is important for employers to not paint employees working from home as the weakest link. For too long companies have put the blame on the employee, but going forward, they should instead work harder to ensure that attackers do not gain access to critical systems and data, just because an employee fell victim to a phishing link. There must be safeguards in place that stop potential breaches from escalating.
While employee cyber training and education is important, we must shift the focus to reducing the harm that can be done and away from placing the responsibility on employees in the event of an attack. If employees feel that their companies are doing all they can to protect them, wherever they are working from, and openly remove the stigma around reporting an incident, the business only stands to gain as it can act quicker to prevent further damage. This is more important than ever as we face up to the prospect of a recession.