Instead, what we see is money spent on more sources of revenue and more tools to make revenue generation efficient. Security, and IT operations, they just get to maintain and make do with what they have. This sad state of affairs is even more obvious when you look at how much an average breach, incident, disaster etc. costs when they happen without a plan in place. Just look at the massive impact from the quarantine of 2020. Businesses lost money hand over first because they had no continuity plans to keep the business efforts running. They also were open to attacks as their workforce moved from inside the walled garden to basically sitting in the fields outside the wall.
With the rise in attacks, identified and exploited vulnerabilities, breaches, ransomware, etc. I would have thought we had hit a turning point in the industry where the lights would come on and businesses would realize that IT operations and cybersecurity were not just costs to be mitigate, but as essential to operation as revenue generation. Instead, we see a decrease in security spending, in conjunction with layoffs of non-revenue generating personnel. If I never have to sit on another call where I hear about a new acquisition and then a request to “trim down” security spending it would be a very happy time indeed.
What is being missed here, in the mad race for more revenue is that there are smart and efficient ways to spend your IT operations and cybersecurity budget while systematically increasing revenue. You just have to identify what those areas are. You also need to be aware of how the threat landscape changes when there is an economic impact. In the current economic environment, there are certain business verticals that are contracting. The mortgage and finance industry is one that is being hit particularly hard. Cost cutting measures are being sought to help preserve revenue and security is one of the first things to go. The problem is that threat actors know this pattern all too well. They do their homework and research and can identify with frightening accuracy when to start hitting businesses that might be letting security slip. This is even more likely to happen when an industry is on the verge of regulation changes.
The logic is simple to follow. The downsizing of a company (announced layoffs) typically indicates a decrease in security spending when combined with a regulation change with more restrictive requirements is like a perfect storm for them. The new additions to the regulation (such as requiring MFA for all internal and external applications and services) gives them a target, the downsizing means there is likely to chaos in account management, the decrease in security spending means there is little chance that they required changes have been budgeted for. Initial Access Brokers (IAB) start looking to ramp up phishing in the hopes of a BEC they can either pivot off of (send more phishing emails to bigger targets), pull data that can be leverage for financial gain, or put in their pocket for later exploitation.
We are already seeing an increase in business email compromises, financial fraud emails and other styles of attacks simply because the target environment is rich. The number of companies who are compromised that do not have internal security teams or went with the cheapest outsourced security they could find is shocking. Even larger organizations are at fault here. They have the money, but are either unwilling to spend it, or are unwilling to complete security projects in a timely manner. The recent City of Dallas ransomware attack is a great example of this. They had the right tools; they just never spent the time/money to finish getting them setup properly to combat a ransomware attack. I am willing to bet they had multiple audits, assessments, etc. and still got popped.
The good news is that there is a way to fix this. It is not easy, it is not simple, and it does cost money. Companies must understand that incidents and disasters can take more money than you earn if they are not properly planned for. This means that you need the right staff (internal or third party) to take your strategic goals and turn them into tactical goals. You can have board company policies and risk appetite statements, but if you have no idea how to take them from a written statement and make them exist in the real world, they are of no use other than to check a box on an assessment. This change in mindset on security spending must be organization wide as well. Everyone from the top-down needs to be committed to building the right environment, complete with contingency and recovery plans for the day that revenue impacting event happens. Otherwise, things are only going to get worse.