When discussing information security trends in the event of a recession, the problem is that we are heading into uncharted waters. The number of annual data breaches have been constantly rising since 2005. We are also seeing an increase in the number of data breaches following the housing market crash of 2008, which is what we would expect, as cyber-criminals never let a crisis go to waste.
Given the increase in both frequency and severity of data breaches over the last decade, nobody really knows how this recession will pan out, or how security experts will respond. On one hand, the amount of money businesses spend on cyber-security has increased over the last ten years, and the technologies that we use to protect our systems and data have become significantly more advanced.
On the other hand, COVID-19 has resulted in a significant increase in the number of people working from home, which we were simply not prepared for. So, this article is really more of a speculation, than a statistical analysis of how businesses manage their information security programs during a recession.
Below are some of the trends we will likely see, as we head further into 2020.
Prioritizing Based on Risks and Rewards
In times of recession, businesses are forced to review all spending, and prioritize based on risks and rewards. When you have limited resources, tough calls need to be made. Until fairly recently, company executives had a tenancy to overlook the importance of data security.
As data breaches became more widely publicized, and more stringent data protection laws were introduced, budgets started to rise. This is great, but given that the global average cost of a data breach stands at $3.92 million ($8.19 million in the US), the chances are, businesses are still not spending enough to cover their backs.
Regardless, we will likely see cuts to security budgets, which may actually incur costs in the long term.
Streamlining Off-Boarding Processes
Businesses will need to carefully consider the implications of downsizing the IT security department, and will need to pay close attention to their off-boarding strategy. Let’s face it, firing IT security personnel is risky. They most likely have the “keys to the kingdom” and were they to leave with a bad taste in their mouth, they could cause some serious disruption.
Businesses will need to closely monitor inactive user accounts, as an ex-employee may take advantage of these accounts to access sensitive data, after they have left the company. Fortunately, there are solutions available that can automatically detect and manage inactive user accounts.
While not necessarily an act of malice, some employees may decide to walk away with intellectual property, or a list of business contacts, if they think they might be useful in a different job.
Again, the off-boarding process must include monitoring, or even restricting, the relevant user accounts, ideally before they have been informed of their dismissal.
Creating a culture of security
Naturally, when belts are tightened, IT security teams will be expected to do more with less. Security teams will start to focus more on developing a culture of security, ensuring that all staff members throughout the organization are aware of their responsibilities, when it comes to keeping sensitive data secure.
They will need to focus their attention on improving policies and procedures, ensuring that they have an acceptable use policy and an Incident Response Plan (IRP) in place. All policies and procedures must be clearly documented, and all employees must know where to find the documentation and be trained accordingly.
Keeping Remote Workers Secure
Regardless of COVID-19, or the economic downturn that will follow, increasingly more organizations have been allowing their employees to work remotely. Recent events have simply accelerated the transition. The problem, as mentioned already, is that few (if any) companies were really prepared for it.
While there are many benefits of allowing employees to work from home, it’s a trend that comes with a number of security risks. Businesses simply don’t have the visibility and control they need to ensure that employees are adhering to company policies.
Most employees are either too complacent or not tech-savvy enough to know when they are putting sensitive data at risk. They may not have anti-virus software installed on their device, and they may have a misconfigured firewall.
They may visit malicious websites or download applications with security vulnerabilities. They may choose to work from public Wi-Fi hotspots, and their device may get lost, stolen or damaged. And it’s unlikely that they bothered to back up their work.
In addition to establishing acceptable use policies and incident response plans, businesses must ensure that they have the right tools and technologies in place to give them the visibility and control they need. They will need tools to be able to detect and manage the devices that are connecting to their network.
All employees should access the company network using a Virtual Private Network (VPN). Businesses will need to utilize Mobile Device Management (MDM) software, data discovery and classification software, Multi-Factor Authentication (MFA), User Behaviour Analytics (UBA), and so on.
Naturally, businesses must also use the latest encryption tools, to ensure that all sensitive data is encrypted, both at rest and in transit.
A Greater Focus on Standardization and Automation
We are likely to see security teams focus more on standardisation and automation. Developing standardized, repeatable processes, and using automation to carry out those processes, will allow security teams to focus on the tasks that require human intervention, thus greatly improving operational efficiency.
To start with, organization should standardize processes that deal with penetration testing, incident response, on-boarding/off-boarding, and so on. They should also ensure that their Privileged Access Management (PAM) system is harmonized across the entire organization, to ensure that security teams are able to monitor access controls via a single dashboard.
If they rely on cloud services, they will need to aggregate the PAM event logs from each service provider via an API. These days, most sophisticated DCAP (Data-Centric Audit & Protection) solutions, provide support for most popular cloud service providers.
Organizations should use automation to carry out vulnerability scanning and reporting. Security configurations should be automated, based on pre-defined rules that are specific to each resource.
Automation can also be used to detect and respond to suspicious file and folder activity, including privileged mailbox access. It can be used to detect and respond to events that match a pre-defined threshold condition, such a multiple failed logon attempts, or bulk file encryption.
Automation can used for password expiration management, to detect and manage inactive users accounts, and generate reports, in order to satisfy the applicable compliance requirements.