Economy Receding, Cybercrime Proceeding

As we wade into what has been predicted by many to be the most prolonged economic downturn since records began, what impact will it have on cybercrime? Eleanor Dallaway finds out how cyber-criminals are likely to greedily and mercilessly feed off of the recession…

“The threat from cyber-criminals is only going to increase in regularity and sophistication over the coming months as criminals try to take advantage of uncertainty and worry.”

These are words that absolutely nobody wants to hear. Thanks, AJ Thompson, chief commercial officer at Northdoor. He’s not alone with this prediction, though.

We’re already navigating a cost-of-living crisis, a recession predicted by The Bank of England to be the longest since records began a century ago, and a political landscape more turbulent and divided than many will witness in a lifetime. Wounds are gluttons for salt, so why not throw in a truckload of cybercrime too, just to really cheer everyone up?

Hello wound, I’m salt

“The cost-of-living crisis is yet another widespread situation that criminals have been able to take advantage of,” says ESET’s Jake Moore. “Criminal opportunities targeting people and businesses increase during a time of need, especially where desperation hits a breaking point.” And he should know. Moore spent 14 years investigating computer crime in the Digital Forensics Unit and Cyber Crime Team in the Dorset police force.

Professor Kamal Bechkoum is head of the University of Gloucestershire’s School of Computing and Engineering. He also warns that criminals target vulnerabilities, most notably the ones found in humans. “As people become more desperate and isolated during a recession, they become more open to scams.” Add to that the fact that when humans are busier and more distracted, they are less likely to be diligent when clicking on links in emails or social engineering attempts.

Of the ten interviews conducted for this feature, eight experts believe that the recession will increase cybercrime.

John Pescatore, director of emerging security trends at the SANS Institute, took up a position on the fence. “There is no meaningful data showing that cybercrime goes up or down based on economic conditions like recessions.”

Brian Lord is the former deputy director of cyber and intelligence operations at GCHQ, now CEO of Protection Group International. He points out that measuring an increase in cybercrime is incredibly difficult, given that the vast majority of cybercrimes aren’t recorded.

Pescatore adds that fear, uncertainty and doubt that typically ascend from a recession are likely to increase the success rates of cyber scams. This can happen in two ways; the first was already covered by Professor Bechkoum (criminals taking advantage of a sense of urgency in victims, leading to more clicks on malicious links). Second, a halt in cybersecurity spending (something we’ll revisit shortly) can leave an organisation’s security inadequate and ripe for compromise. The latter, Pescatore says, “could help cyber-criminals succeed if companies are slow to patch systems or move to multi-factor authentication.”

The lesser-trodden opinion (although a much more palatable one) comes from Intel 471’s CEO, Mark Arena. “We do not feel that the economic outlook or cost of living pressures contribute significantly to a rise or decrease in cybercrime.” He does, however, anticipate a spike in financial fraud schemes.

The perfect victim

As stated above, cyber-criminals prey on the vulnerable. The volatility of the world over the past few years has played beautifully into the hands of those seeking to benefit from misfortune. “This perfect storm of an epidemic and a financial crisis simply plays into the hands of any criminal wanting to prey on victims who may be more vulnerable than normal,” explains Moore.

Cyber-criminals have template campaigns centred around every eventuality, ready to press send when that particular scenario comes to fruition.

“Recessions are extremely attractive to threat actors where they can have unlimited attempts at conning people who lower their guards in favour of taking risks,” warns Moore, and it’s known that when facing rising costs, people are more likely to take risks and act quicker. “All of this helps in the making of the perfect victim,” he adds.

Lord has a similar take on the victim profile: “the general public is worried, stressed, short of money and therefore far more susceptible to the type of hostile online activity that stimulates cybercrime.” Will the recession specifically be used as a vehicle for exploiting individuals? “Of course,” he responds.

That’s why unemployment fraud will likely rear its ugly head in a meaningful way in the near future. Brian Kime, VP of intelligence strategy and advisory at ZeroFox, warns of this: “Criminals will abuse weak verification systems for disbursing unemployment funds when departments are overwhelmed by new applicants. Criminals will also likely target individuals offering help to enrol in unemployment [benefits], usually by offering to help with the paperwork for a small fee.”

Emili Evripidou, manager at Accenture, comments further on the threat of unemployment. She explains that the recession will inevitably lead some people to search online for new jobs, “which is the perfect landscape for cyber-criminals to thrive.”

The effect of the recession on cybercrime needs to be analysed in two separate categories: the impact on individuals and the impact on businesses. We’ve covered the former, so let’s now focus on the latter.

Lord highlights two significant considerations: firstly, the extent to which the recession causes companies to look at (and often reduce) costs, and secondly, redundancies, which bring bad feelings and insider threats. Cutting cybersecurity defence costs, Lord says, “will inevitably create opportunities for potential cybercrimes.” On the topic of redundancies, he says, “unless organisations manage the inevitable redundancies and offboarding of staff carefully, there is a very high likelihood of increase of cybercrime for insiders and disgruntled employees. Cyber-criminals leverage the pressures that the recession creates.”

Kime expands on the insider threat: “Some insiders may sabotage critical systems if they think they are about to be laid off. Others will sell trade secrets or network access in an underground forum,” he adds that ZeroFox observes the latter regularly.

Recession exploits have a longer lifespan

The dilemma for businesses is that whilst cyber threats might be multiplying and feeding off the recession, resources are increasingly being squeezed and constrained due to the economic climate. It would be naïve not to recognise the temptation to reduce or put off investment in cybersecurity.

Pescatore points out that tight economic conditions can lead to halts in spending on cybersecurity, although he adds, “in previous recessions, that has been minor.”

“Criminal opportunities targeting people and businesses increase during a time of need, especially where desperation hits a breaking point” Jake Moore

Lord is concerned that budget cuts will result in inferior protections. “You’ll find the lifespan of exploits—that is, the malware that allows criminals access to your systems—will be longer because organisations will decrease the frequency in which they update their systems with patches to save money.”

He’s realistic about businesses needing to make savings but feels strongly that certain things should never be compromised. Do not compromise on the frequency you receive and apply updates to known exploitable capabilities, he says, “and do not compromise on your automated controls that govern the receipt of emails from external people. Most cyber-criminals automatically use and reuse known exploits and leverage on the fact that organisations take time to apply those security patches to their systems.”

This might be starting to sound a little too technical for comfort, so let’s simplify Lord’s advice: frequently update and patch your systems and invest in cybersecurity awareness for your staff.

As Northdoor’s Thompson insinuates, a company that reduces its cybersecurity spending effectively leaves the door open further for cyber-criminals. “The damage caused by a breach will negate any cost-savings and cause irreversible damage to reputation and customer relationships.” With the cost of cyber-attack ranging from damaging to catastrophic, cutting corners regarding cybersecurity spending is ill-advised.

Moore agrees: “Unfortunately, some organisations will be forced to streamline their business, and some may decide the presence of cybersecurity is a luxury and defer to a cheaper, less secure option. However, with the increasing threat landscape, this is not an area the C-Suite should sacrifice. Cybersecurity, like insurance, doesn’t make money, but it can help in times of need and become imperative to keep the business alive.”

A wild west industry

Former GCHQ deputy director of cyber and intelligence operations, Brian Lord, considers the importance of risk mitigation in a recession. “Part of the mitigation of any risk is insurance,” he says. “Talk to your insurance company, work out the right level of protection you should be displaying to get the optimum level of cybersecurity insurance.

“Some insiders may sabotage critical systems if they think they are about to be laid off. Others will sell trade secrets or network access in an underground forum” Brian Kime

“No organisation can operate without any cybersecurity insurance cover; that would be quite naive. But consequently, no insurance company should be looking at insuring a company that does not take its cybersecurity defences seriously.” In a recession, where spending needs to be scrutinised, Lord advises finding the sweet spot between spending on cyber defences and on cyber insurance. “Aligning the two very, very carefully is the most pragmatic solution to this. During a recession, there needs to be a strong relationship between the organisation and their insurer, and both need to be happy with the level of risk.”

Lord’s final thought, sobering at that, is that the current cybersecurity ecosystem is unsustainable. This was the case before the recession, he says, and will undoubtedly continue to be. “There are an awful lot of cybersecurity companies which still charge extraordinarily high prices for basic cybersecurity consultancy services or technical services. That wasn’t sustainable even in a non-recession sense.” Referring specifically to the costs and pricing of the industry; he labels cybersecurity a “wild west industry”.

Perhaps there’s an analogy to be drawn between the relationships between a wild west industry and a recession and salt and a wound. Both are painful, and both are likely to get worse before they get better.