In 2021, researchers recorded the exposure of around 22 billion data records. According to the 2022 Verizon Data Breach Investigation Report (DBIR), 82% of these breaches involved a human being. This cybersecurity tsunami means that organizations must take a keen interest in choosing the right solution to protect their data and IT resources. Particularly in the face of a potential global recession, careful consideration needs to be made to ensure that IT and security budgets are optimized. This places a great deal of pressure on CISOs and other security budget holders to make the best possible decisions.
Only adding to this burden is that fact the cybersecurity is often intrinsically tied to world events. The exploitation of such events evidences this; as just one example, Interpol noted that during the Covid-19 pandemic and the rise of remote working, bad actors took advantage of the disruptive nature of this global catastrophe and increased their attacks.
As cybercriminals exploit the changing social, economic, and technical landscape, CISOs can and must use the same principles to help make informed cybersecurity budget decisions.
Making informed choices comes down to knowledge and understanding. Here are five considerations that anyone involved in cybersecurity budget spend should take into account in the coming 12 months (and beyond):
According to the World Bank, global growth will slump to 2.9% in 2022 and remain at this level until 2023-2024. This global recession will be devastating for many individuals, but it also creates an opportunity for cybercriminals. The Verizon DBIR points out that 86% of cybercrime is financially motivated. As recession hits, fraud increases: risky behavior is more likely to occur if there is financial desperation. For example, during the economic downturn of 2008-2009, mortgage fraud increased by 71%. Now, Juniper Research has identified an 18% increase in eCommerce fraud in 2021, a severe problem in light of research from The Federal Reserve that found traditional fraud models are failing to catch 85-95% of synthetic identity fraud attempts.
But fraud is not confined to consumer models. Cybercriminals also target employees and use identity-related fraud tactics to extort or steal money from enterprises. Between 2016-2021, the FBI identified a 65% increase in Business Email Compromise (BEC) scams, with associated losses of $43 billion.
Takeaway: Recession drives fraud, and securing personal and financial data through identity-based access is central to limiting and reducing fraud.
There’s no longer a question that geopolitical events influence cybersecurity attacks. In 2021, 74% of extorted money from ransomware attacks went to Russian hackers. The ongoing war on Ukraine has resulted in sudden and focused cyberattacks with a warning from U.S. CISA (Cybersecurity and Infrastructure Security Agency) initiative, ‘Shields Up’:
“The Conti ransomware actors threaten “retaliatory measures” targeting critical infrastructure in response to “a cyberattack or any war activities against Russia.”…“Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000.”
Geopolitical events and recession create an alignment of events that cybercriminals exploit. The 2022 DBIR warns:
“This year Ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined.” “This year Ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined.”
Ransomware has evolved in recent years to deliver a one-two punch involving data theft, data encryption, and extortion. The methods used to infect a company with ransomware typically involve human operators through spear-phishing, social engineering, and credentials theft.
Takeaway: The war in Ukraine and other geopolitical crises cause uncertainty and drive cyberattacks. These attacks frequently use tried and tested methods such as social engineering and phishing.
Due to the always evolving nature of cybersecurity, data protection and privacy regulations enter the regulation lexicon and/or change regularly. In the United States, data privacy laws such as the California Consumer Privacy Act (CCPA) have already been deployed at the state level. However, federal privacy law is appearing on the regulatory horizon. In addition, industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPPA) mandate certain sectors to protect data. In the EU, the NIS2 directive creates a common cybersecurity framework across the union. Laws of this nature are replicated across the world.
Often, these regional and industry-focused regulations overlap in their requirements. Companies should focus on following security best practices and implementing robust security measures: in doing so, security will flow and map to regulations, covering a multitude of cross-over requirements.
Takeaway: Regulations can be more of a minefield and less of a landscape. However, companies that invest appropriately and adhere to security best practices will find the regulations largely take care of themselves.
Zero Trust is a much-needed development to replace the traditional perimeter security framework built on a ‘castle and moat’ protection approach. But Zero Trust must also continue to adapt as the risk landscape changes and, significantly, to reflect changes in the digital transformation pathway of a business.
For example, as noted above, ransomware and BEC, amongst other cyber-attack types, rely on access to a device, app, or network to propagate an attack. To gain such access, bad actors conduct targeted attacks on employees, business associates, and the broader vendor ecosystem. As a result, privileged users are an ideal attack focus. A privileged user has access to all the keys to the castle, and a set of stolen keys opens up the fortress: a survey from FINN Partners and Centrify found that 74% of data breaches involve a privileged user. A further study from Forrester increases this figure to 80% of data breaches relying on privileged access credentials.
Still, it is not just privileged access that can provide a way into a network. The theft of any user login credentials can lead to access to sensitive areas of a network using a technique known as lateral movement.
The Zero Trust approach to security emphasizes prevention, not cure. Zero Trust models of security ensure that access is continually authorized and verified, not just for users but for devices too. If a credential is stolen, it is difficult for some ZTNA (zero trust network access) solutions to detect a malicious element moving around a network or installing malware or exfiltrating data, as they are using a legitimate credential. This is why it is crucial to choose a ZTNA vendor that enforces dynamic access control checks and includes real-time monitoring to detect unusual or anomalous behavior.
Takeaway: A Zero Trust strategy must weave in landscape changes such as remote access needs, third-party access, increasing cybersecurity attacks, and regulatory requirements. In addition, organizations should confirm that their ZTNA vendor does not have access to their data.
Microsoft recently reported that by 2025 there will be a 3.5-million-person shortfall in cybersecurity skills. The researchers also pointed out that in the United States, one in 20 jobs is a cybersecurity role. CISOs must build resilience to cover this skills gap by thinking outside of the recruitment box. A build AND buy approach is needed. Upskill and reskill alongside the use of external cloud-based services that provide the solutions needed to harden a digitized organization.
Takeaway: Find ways to improve your cybersecurity skills, either by employing specialists, training existing employees, or outsourcing security services.
No matter how large or small your budget, it is ultimately finite; therefore, choosing the right cybersecurity solutions for your organization takes careful planning. By understanding the patterns of behavior of cybercriminals employ and how they exploit situations, CISOs and other key stakeholders can make informed decisions that optimize cybersecurity budget spending.