Cybercrime and recessions

It is a truism that, in recessions, incidence of crime increases proportionately to the depth of the recession. This is doubly true of cybercrime.

Today’s cyber criminals are sophisticated, agile opportunists – and recessions bring them lots of opportunities. Many organisations, in planning how they handle an extended period of economic difficulty, will treat cyber security expenditure as discretionary, capable of being delayed, reduced or cut. And this approach is typically applied indiscriminately across all three cyber domains: people, process and technology. Imagine what that means in a market where ransomware attacks increased by 47% between June and July this year!

We already have a global shortage of qualified cyber security and privacy professionals. We already have huge numbers of organisations with inadequate social, procedural and technical defences against ransomware and other cyber attacks. We already have millions of organisations that can’t even meet (on their own assessment) very basic cyber security controls like Cyber Essentials. The normal ‘delay, reduce, cut’ business response to current and future economic challenges will turn an already porous attack surface into one that is full of gaping holes.

And cyber criminals know this. They will be able to exploit the growing number of vulnerabilities without breaking sweat. They will rake in huge returns on their ongoing cyber threat activity. And the thousands of organisations that cut back on cyber defence, and are breached, will then have to spend money they won’t have (because cyber insurance is so expensive, even if you can find it) on recovering, as well as on improving their defences – or go under. And, while they’re waiting to discover they’ve been attacked, key customers and other stakeholders will increasingly ask for evidence of appropriate steps that will protect their suppliers against the existential threat that is cyber-attack.

The strong survive recessions. Ensuring and proving you’re cyber-secure is as much a strategic imperative as ensuring you have enough cash in the bank.  Yes, you need to get smart about identifying and mitigating specific cyber risks, and you need to build and maintain cost-effective cyber defence in depth. But the argument that you can’t afford to invest properly in basic cyber-survival is really no argument at all. Worse than that, it is typically the first step into what may become a death spiral.