By Darren Guccione, CEO and Co-founder, Keeper Security
In times of rising inflation and market turbulence, companies may be tempted to pull back on cybersecurity spending as they seek to navigate uncertain economic headwinds. However, cutting back on cybersecurity measures makes organisations even more vulnerable to data breaches, just as the cyberthreat environment is growing more dangerous.
Cybercrime against UK businesses is rising, with stolen passwords leading the charge
Keeper’s 2022 UK Cybersecurity Census Report, which surveyed 512 IT decision-makers in the United Kingdom, found cyberattacks becoming more frequent, with the average UK business experiencing 44 cyberattacks per year. Nearly one in five UK businesses suffer over 500 attacks a year. The overwhelming majority of respondents (84%) expect these numbers to increase over the next 12 months.
Cyberattacks can take many forms, but the most significant threat comes from compromised user credentials. Verizon estimates that over 80% of successful data breaches can be traced to stolen or compromised passwords. While the overwhelming majority of UK businesses Keeper surveyed reported having at least some visibility and control over their employees’ password habits, nearly one-third admitted they allow employees to set their own passwords and even share passwords.
New threats are emerging due to digital transformation, multi-cloud computing and distributed remote work
The COVID-19 pandemic forced organisations worldwide to rapidly accelerate their digital transformation plans to accommodate newly remote workforces, not to mention digitise their customer and vendor interactions. McKinsey estimates that the average organisation accelerated their digital transformation by three to four years.
However, in the rush to build out IT infrastructures to enable both remote work and remote trading, cybersecurity often took a backseat, and IT leaders still don’t feel confident that their organisations have made up for the security shortfalls incurred during that time. In Keeper’s survey, UK IT leaders listed digital transformation as one of their top security concerns, second only to rising external threats.
Digital transformation and remote work have been highly beneficial to organisations, their employees and their customers. However, digitisation also widens organisations’ potential attack surfaces and obliterates network perimeters. If IT teams don’t adopt new approaches to access management, particularly zero-trust security architectures, their organisations are left highly vulnerable to password-related cyberattacks.
Successful cyberattacks can seriously damage businesses
When a cyberattack does strike an organisation, the consequences can be severe. In addition to the direct costs of mitigation efforts and regulatory fines, victimised organisations typically incur significant indirect costs.
Over one-third (35%) of UK IT leaders told Keeper that their organisations’ daily business operations were disrupted in the wake of a cyberattack. About the same percentage (34%) reported that the attacks disgruntled their customers and degraded their organisations’ reputations, and nearly one-quarter (23%) lost business or contracts.
Geopolitical instability and the current macroeconomic environment is fueling state-sponsored cyberattacks
The same global political and economic instability that’s prompting many business leaders to cut back is also making the cyber threat environment more dangerous. Logic dictates that a bad economy can lead to an increase in unemployment, which may prompt more individuals to turn to cybercrime as a means of making money. However, the problem goes much deeper than “lone wolf” attacks perpetrated by distressed individuals.
A recent report by the World Economic Forum found that the overwhelming majority of both IT and business leaders feel that global geopolitical instability will lead to a “a far-reaching, catastrophic cyber event” within the next two years. Respondents to Keeper’s survey echoed these concerns, with 58% of UK IT leaders stating that they fear that their organisations will be victimised by a state-sponsored cyberattack within the next 12 months.
State-sponsored attacks don’t exclusively target governmental agencies. State-funded threat actors have numerous reasons to target private businesses. Manufacturers, for example, have long been a target of foreign spies seeking to steal design schematics, product prototypes, advanced manufacturing processes and other intellectual property for use in their own countries. Any company that possesses a unique or innovative product or process is a potential target.
State-sponsored cybercriminals also target private-sector companies to create destabilisation within another nation’s social and economic infrastructures, particularly if the company provides an essential service. In early 2023, a state-sponsored ransomware attack on Royal Mail caused significant disruption to overseas letter and parcel deliveries.
How organisations can protect themselves
With cybercrime a clear, present and growing threat to UK businesses, organisations would be foolish to slash their cybersecurity budgets. Instead, they should focus on making sure they are investing in the most effective tools to maximise their cybersecurity posture and return on investment.
Train your employees on cybersecurity best practices
Even a small mistake, such as an employee clicking a phishing link, can lead to a catastrophic cyberattack. UK IT leaders are aware of this danger; over half of respondents to Keeper’s survey said they increased employee cybersecurity training within the past year.
It’s not enough to throw money at a training solution and hope it will stick. Training should be customised to fit the specific needs of each organisation, the most prevalent threats in the organisation’s industry and, in many cases, specific job roles. For example, developers should be trained on application security best practices, and finance personnel should be taught to spot business compromise emails (BECs), which seek to get employees to pay phoney invoices.
Keep operating systems and software up-to-date
The NotPetya ransomware variant, which spread globally in 2017 and cost organisations billions of dollars, targeted a vulnerability in unpatched Windows systems. The Equifax breach, which compromised the private data of 147.9 million Americans and 15.2 million British citizens, happened because the company was running an unpatched version of Apache Struts software.
Ensuring that software and operating systems are up-to-date is one of the simplest and most cost-effective ways organisations can protect themselves against cyberattacks.
Implement zero-trust network access
Zero trust is a security framework designed for modern, cloud-based data environments. While older access frameworks focused on where users were logging in from, zero trust centres on who users are. It eliminates implicit trust, uses least-privilege and role-based access control to strictly control access to network systems and data, and requires all human users and devices to be continuously and explicitly validated.
When implemented properly, zero trust provides IT administrators with full visibility into all users, systems, and devices, helps ensure compliance with industry and regulatory mandates such as the GDPR, and helps prevent password-related cyberattacks.
No matter how bleak the economic outlook, cost-cutting on cybersecurity isn’t worth the risk. From protecting sensitive data and digital assets to ensuring compliance with the GDPR and other industry and regulatory frameworks, cybersecurity directly impacts business outcomes. Organisations with a strong security posture are better equipped to weather economic storms, maintain positive customer relationships and build long-term competitive advantages against less secure competitors.