Global inflation can have, and is having, a significant impact on cybersecurity. As prices rise, organizations may be tempted to cut back on cybersecurity spending, making them more vulnerable to cyberattacks.
Additionally, inflation can make it more difficult for organizations to keep up with the latest cybersecurity threats. The cost of security tools and services is rising, and organizations may not have the budget to keep up. And let's not forget about the impact on finding and retaining talent; or layoffs that occur, pushing remaining resources (people) to the limit.
According to Forbes, the U.K.’s Office for National Statistics (ONS) placed the measure of inflation by the Consumer Prices Index (CPI) at 8.7% back in April. It is a figure that has decreased from 11.1% recorded in October 2022, yet it is still painfully elevated.
All of this makes it more difficult for organizations to protect themselves from new and emerging cyber threats.
Here are some specific ways in which global inflation can impact cybersecurity.
- Reduced cybersecurity spending
As prices rise, organizations may be tempted to cut back on cybersecurity spending in order to save money. This can make them more vulnerable to cyberattacks.
- Increased cost of cybersecurity tools and services
The cost of cybersecurity tools and services is rising, due to factors such as increased demand and the increasing cost of labor. This can make it more difficult for organizations to keep up with the latest cybersecurity threats.
- Increased risk of cyberattacks
The rising cost of living can lead to an increase in cybercrime, as people become more desperate to make money. Additionally, cybercriminals may be able to use inflation to their advantage, such as by sending phishing emails that appear to be from legitimate companies offering discounts or assistance.
- Increased difficulty attracting and retaining cybersecurity talent
The cybersecurity industry is already facing a shortage of skilled workers. Inflation can make it more difficult for organizations to attract and retain cybersecurity talent, as workers may be able to find higher salaries elsewhere.
We asked a few practitioners for their take on rising inflation and how it is making their jobs keeping their organizations secure more difficult—and what they are doing to try to combat these issues.
"I think it requires taking a step back and assessing what you can do with less," said Chris Roberts, CISO and Senior Director at Boom Supersonic. "Too many folks focus on the technology as opposed to the people or process. When budgets tighten and we're still responsible for moving the security forward, we should look to the policies, procedures, and controls and which ones can we shore up, what can we do to block/tackle those things we've been putting off, etc. Also, let's face it, table top exercises don't cost anything."
Andrew Smeaton, CISO at Afiniti, says reassessment of cybersecurity programs and plans is necessary.
"Economic effects, including inflationary pressures, have had a broad impact across the InfoSec landscape," Smeaton said. "While each CISO's decisions are situationally dependent, I have used this as an opportunity to revisit the way I approach not only the budget process as a CISO but also how I present that budget for buy-in by leadership. This is more critical now than it's ever been."
Smeaton is speaking at SecureWorld Seattle on November 8-9 on "Insider Threats: A Multi-Pronged Approach to Protecting Your Organization" at 2:30 p.m. on Day 2.
Domestic and global inflation can have a negative impact on cybersecurity. Organizations need to be aware of the risks and take steps to protect themselves, even if it means increasing their cybersecurity spending.
Here are some tips for organizations on how to protect themselves from the cybersecurity risks associated with inflation.
- Prioritize cybersecurity spending
Even in times of economic difficulty, it is important to prioritize cybersecurity spending. Cybersecurity is an investment that can save organizations a lot of money in the long run.
- Invest in the right security tools and services
There are a variety of cybersecurity tools and services available, so organizations should selectively choose the ones that are right for their needs and budget.
- Educate employees about cybersecurity
Employees are often the first line of defense against cyberattacks. Organizations should educate their employees about cybersecurity best practices and how to identify and avoid phishing attacks. Investing in security awareness training has a bottom line impact.
- Develop a cybersecurity incident response plan
In the event of a cyberattack, organizations should have a plan in place to respond quickly and effectively.
[RELATED: Ransomware Incident Response: What Is It Like?]
"Reduced spending on cybersecurity doesn't have to equate to the inability to implement a certain control," said Krista Arndt, CISO at United Musculoskeletal Partners. "Reduced spending challenges us as security leaders to let go of our preconceived notions of what we had planned to do to achieve our goals, and opens up opportunities for us to collaborate with our teams on unique alternative ways to get there. There is always more than one way to the same end goal. 6 + 3 = 9, but so does 5 + 4. This could even lead to improved team satisfaction through supportive learning, personal growth, and new opportunities to contribute, and may also force innovation in problem solving that can be leveraged across others facing the same obstacle."
Arndt continued: "Organizations need to rekindle more significant resource allocations toward security awareness and training efforts. Attackers are more easily able to circumvent email security controls of even the most mature organizations through well-crafted social engineering tactics, resulting in stolen account credentials and ultimately account takeovers.
Attackers are even using legitimate file-sharing solutions to host malware so it remains undetected. The human element of security is the most difficult to predict and control, and, therefore, should receive attention in kind."
Arndt is the lunch keynote presenter at SecureWorld Dallas on October 26, speaking on "Drag Racing & Cybersecurity: The Crossover," as she shares her story of surviving a drag racing accident and how it changed her perspective on life, family, and work—and how it ties into cybersecurity.
Kimberly "KJ" Haywood, Principal Advisor at Nomad Cyber Concepts and Adjunct Cybersecurity Professor at Collin College, had this to say:
"Inflation is hitting organizations harder than ever. Many are facing multifaceted challenges. As cyber threats surge, the expenses associated with cyber insurance rise, adding to the financial strain.
Instead of downsizing amidst heightened cybercrime risks, consider a more innovative approach. Harness your current workforce for internal training through engaging simulations. Additionally, optimize your technology stack by evaluating existing solutions and exploring opportunities to expand with new modules or vendor collaborations. This proactive strategy can fortify your defenses without compromising your team's strength."
Haywood is on the opening keynote panel at SecureWorld Dallas on October 26, addressing "Implications of ChatGPT and Other Similar AI Tools."
Reanna Schultz is a cybersecurity professional and frequent SecureWorld speaker whose day job is as Team Leader of InfoSec at Garmin. These comments are her own and do not reflect those of her company, necessarily. Here's what she had to say about inflation, as it relates to team retention:
"In the current economy, achieving more with fewer resources is a common goal. However, job seekers often face challenges in interviews where job requirements appear overwhelming due to tight security budgets. To retain talent, it's essential to establish a clear vision, foster an innovative and inclusive culture, and invest in your team through mentorship and support. While these strategies may not solve every problem, they contribute to a positive work environment, boosting morale and motivation to overcome challenges."
Schultz offered these CISO tips regarding security awareness training:
"Security education is essential for building and maintaining human firewalls in the organization. To improve phishing awareness without overspending, begin by reviewing click percentages, aiming for growth if the rate is between 0-2%. To enhance the education program, assess the types of phishing attempts used, reducing complexity, and making them more relevant to users. Collaborate with the IT Service Desk and Security Operations Center for inspiration, analyze blocked threats, and stay updated with cyber trends to incorporate new phishing templates. Ultimately, nurturing the phishing program empowers users to recognize and report legitimate emails, reinforcing their role as the last line of defense against evolving threats."
On investment in tools, Schultz offered this advice:
"When evaluating business tools, it's crucial to ask:
- What value does this tool bring, and what challenges are we trying to solve?
- Can our current security tools address this issue, and if not, why?
- Does this tool integrate with our existing architecture (e.g., SIEM, SOAR)?
- What unique functions does this tool offer compared to our existing tools, and is this function essential? Establishing standards upfront streamlines the evaluation process, benefiting all stakeholders, including product vendors.
Establishing guidance and standards before introducing a new security tool can facilitate the evaluation process and save time for everyone involved, including the vendors pitching their products."
~~~
Some additional related factoids around inflation:
- In February, McKinsey reported that inflation had approached 10% in the U.S. and had also exceeded double digits in the U.K. and European Union. In a challenging climate of hyperinflation, central banks, including the Federal Reserve, raised rates at a pace that has not been seen since the 1980s.
- According to Digitalisation World, the amount of "SMEs paying ransomware demand dramatically increased from 21% to 85% within the last year."
- Global Security Mag confirmed that "ransomware attackers extorted $456.8 million from victims in 2022."
- According to Forbes, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025.
- According to Cybersecurity Magazine, 60% of businesses cease to exist after six months of experiencing a cyberattack, and the cost of companies reducing their budget and then falling victim to an attack is approximately $200,000.
- Inflation has reached 40-year highs in both the U.S. and Europe. In June 2022, inflation in the U.S. reached 9.1%, the highest level since 1981. In the same month, inflation in the eurozone reached 8.6%, the highest level since the euro was introduced in 1999.
- In the U.S., inflation has led to higher prices for food, energy, and housing, making it more difficult for people to afford basic necessities. Inflation has also led to a decline in consumer sentiment, which could slow economic growth.
- In Europe, inflation has been exacerbated by the war in Ukraine. The war has caused energy prices to rise and has disrupted supply chains, leading to higher prices for goods and services across the eurozone. Inflation is also expected to have a negative impact on economic growth in Europe.
