Cybercrime in a recession: 10 things every CISO needs to know

The world likely faces tough financial times ahead and perhaps even a major global recession. As economies stall, how will cybercriminals react? Will they change targets, techniques, or priorities? Will more people, whether inside or beyond your organization, present a threat?

Experiences and insights from past recessions can help us prepare for what’s ahead.

Cybercrime flourishes in a recession

Cybercrime rose during the last recession in 2008. Regulatory Data Corp said it saw an average rise of 40% in cybercriminal activity for the two years following the recession’s 2009 peak. The UK Government recorded internet-enabled card-not-present fraud (transactions conducted over the internet) to the banks/payment card industry fell during the recovery period following the global crash, falling to £135 million in 2010 from a peak of £181 million in 2008.

In 2009, Reuters reported that internet fraud in the US rose 33% in 2008, while McAfee’s Virtual Criminology Report from that period suggest there was a large surge in malware, bots and Trojans around 2008 compared to the year before. While that trend hasn’t abated since, the change in the digital landscape presents greater opportunity for attackers.

A recent study from Portsmouth University suggests the 1980, 1990 and 2008 recessions all saw at least 5% rises in fraud. In those recessions, the UK’s GDP dropped by single digits. With the UK Treasury predicting a potential 12% drop in GDP due to COVID-19, Portsmouth researchers are suggesting it’s possible that the UK could see up to a 35% rise in fraud attempts, primarily conducted online. 

Other data suggests that local recessions will drive up cybercrime locally. Data pulled by Recorded Future shows cybercrime in Brazil and Spain – two countries that have suffered local recessions since 2008 – saw large spikes in cybercrime activity during difficult financial times.

“At the height of the Brazilian recession there was a huge uptick in cybercrime,” says Allan Liska, senior threat intelligence analyst at Recorded Future. “Then same thing in Spain. Those are much more recent examples of when there really was an organized underground, and you can see that during a recession there’s definitely a noted uptick in in cyber-criminal activity.”

The recession of 2008 occurred in a very different technology landscape. Things like cloud services and smartphones were still in their nascent phase, while the selling of cybercrime tools and services on the dark web had yet to be commoditized. Because of this, Forrester VP and Principal Analyst Jeff Pollard says it’s hard to make predictions based on the 2008 recession. “In 2020, however, we are much more dependent on technology than even a decade ago, so I’d expect to see cybercrime increase,” he says.

Beyond the potential increase in cybercrime, none of the experts CSO spoke with thought the attackers’ targets, priorities or TTPs (tactics, techniques and procedures) would likely change dramatically during a future recession. They noted that the remote working at scale introduced during the pandemic might increase risk due to reduced effectiveness in some controls and monitoring.

Phishing will remain a key factor

Attackers are not developing new techniques or changing tactics around phishing. They are simply re-skinning their existing capabilities with the new related themes.

“When you have the chaos and panic, when you have people uncertain as to what tomorrow is going to bring,” says Deb Golden, principal and US Cyber Risk Services leader for Deloitte’s Risk & Financial Advisory, “we do certainly see an increase in fraud, largely associated with phishing attempts and social engineering campaigns.”

In the same way that COVID-19-related lures have skyrocketed during the course of the pandemic, we are beginning to see financial related lures emerging. “We have seen a spike over the last two weeks of thousands of domains being registered with words like ‘stimulus,’ ‘relief,’ ‘refund’ and ‘rebate’ in them” adds Recorded Future’s Liska. “We’ve seen that rapid change [from COVID19-related emails] to, ‘Here’s how you get your check from the government,’ or, ‘Here’s how you get a relief loan,’ or, ‘Here’s how you get this additional funding’.”

Organizations can expect further phishing lures purporting to be from the likes of the Small Business Administration in the US and similar government bodies in other countries, Liska adds. Reports of payroll scams around the UK’s furlough relief fund claiming to be from Her Majesty’s Revenue and Customs (HMRC) quickly emerged after the fund’s launch, while similar schemes around the IRS and stimulus checks in the US followed.

Business email compromise will continue to grow

Liska predicts that ransomware will continue to be a popular method of attack because it makes money. He expects business email compromise (BEC) to also be popular. “There are so many records for sale on underground markets that you can easily find your way into a business. You only need 10% of those passwords to still be working to have a successful operation.”

As well as exploiting access themselves, Liska warns that attackers might sell that access to third parties who might be better placed to make money through fraud or ransomware. “Attackers flow like water and follow the path of least resistance,” says Forrester’s Pollard. “Attackers, like enterprises, will have to adapt to different monetization models due to the changes from the pandemic. Financial conditions aren’t what they were six months ago, which decreases the likelihood of ransom payments, and things like cryptomining could increase.”

Off-the-shelf hacking tools will get cheaper

Never very expensive to begin with, ready-made hacking tools might become even cheaper and more accessible. Recorded Future claims that cybercriminals, especially the lower-tier threat actors, are already offering steep discounts on their services as certain types of exploit kits become less rewarding during lockdowns. “Cybercriminals are experiencing the same thing that we’re experiencing in the real world and seeing a drop,” says Liska. “We’ve seen people offering deep discounts, especially point of sale because so many retail organizations are closed.”

Liska says that exploit kits designed to hijack payments are especially affected as people are buying less. In the face of a recession, those prices might drop even lower to draw in more buyers.

More people will use hacking tools

Predictions for permanent job losses are estimated to be in the millions. A new report from the Global Initiative Against Transnational Organized Crime warns that in the face of a recession that young people, especially those with any IT skills, may turn to cybercrime, as has previously been the case in countries such as Nigeria and Honduras. “High unemployment rates among young people in the developing world and limited job opportunities in the legitimate IT sector create push factors for ‘deviant globalization’,” warned the report.

Insider threats increase

One trend from earlier recessions that remains today is the issue of insider threats. A 2009 PwC study showed that a large portion companies at that time were either worried about or had suffered from fraud committed by insiders due to fears over job losses, reduced pay or targets being harder to achieve due to a difficult financial landscape. “Layoffs and furloughs always lead to a bigger concern around insider threat,” says Liska. “Going all the way back to the .com bust in 2000, we’ve seen it in the past that insider threat activity increased dramatically during those rounds of layoffs.”

Forrester’s Pollard adds that due to large-scale working from home, behavioral analysis of employees isn’t as easy as it was previously. Routines are different and more liable to fluctuate compared to traditional office behavior. “Firms need to adopt zero-trust policies to limit the information employees have access to, make sure they have analytic tools that reflect the environment employees now work in, and receive advanced notice of job actions so that they can monitor and prevent insider threat activity,” he says.

To prepare for potential insider threats, Deloitte’s Golden recommends that CISOs work closely with HR and finance to make any significant changes. Whether they be layoffs, pay cuts or just decreased benefits, understanding timelines helps CISOs be more proactive. “Having that integration [with other departments] and advanced notice means you can monitor proactively that group for a week before and a week after just to be able to monitor employees for strange activity,” she says.

If a company does not have a comprehensive insider threat program in place, Golden recommends using whatever threat intelligence monitoring you have and redirecting it to look for unusual behavior among staff. 

APT groups will be more active

Whether it’s using cryptomining to make money during sanctions or stealing IP to give domestic industries an innovation boost and get ahead of rivals, nation state-affiliated advanced persistent threat (APT) groups will likely be instructed by governments to make themselves useful.

“There will absolutely be more of an increase in that nation state activity, especially as countries fall into deeper recessions,” says Liska, “whether that’s traditional espionage to find out what your rivals are planning, or corporate espionage to try and give your local companies have boost over foreign competition.”

Forrester’s Pollard agrees, noting that the current long turmoil gives attackers a route in that can be fully exploited at a future date. “As companies are forced to downsize, shift priorities, and expand their environments to accommodate far more remote access than before, that makes it easier for threat groups to obtain a foothold in the environment.”

Vendor risk goes up during a recession

Your third-party risk will go up as vendors, particularly startups, go out of business. This can lead to potential issues around access to data and services, unsupported tools or applications, or leftover access that could be exploited in the future. “What I worry about are the smaller companies that heavily rely on outsourced companies,” says Liska. “For a smaller company that could mean going out of business if something happens to the startup that you’re dependent on for some or all of your services.”

Deloitte’s Golden recommends identifying the key vendors in your supply chain and asking difficult questions around liquidity. It is important to find the weak spots in your ecosystem and understand how quickly you will be able to spin up replacements.

Security budgets might be cut

Budgets rarely go up during recessions, although cybersecurity might be spared the worst of it. A pre-COVID19 study by Grant Thornton suggested cybersecurity budgets would be safe during a recession, and recent CFO polling by PwC suggests that IT and digital transformation are likely to be on the chopping block before security.

“It’s really broad, but the basics are what keep you most protected,” says Liska. “Good asset management, good asset inventory, good vulnerability scanning, and have some way of delivering compensating controls for things that you can’t patch or you can’t fix. If you don’t cover the basics, then everything else you do is flawed as you go from the ground up.”

Deloitte’s Golden recommends CISOs spend time understanding the key data, assets, and processes that need protecting. “What is your risk posture? Everything cannot be treated the same, so understanding those things that are most critical to protect is going to continue to be very important,” she says.

CISOs need to be leaders

Morale might be low during tough times, and that’s an opportunity for CISOs to show leadership. “We are seeing a number of CISOs take a moment to step back and put out a little bit more communication,” she says. “Some of it is just reassuring and things that most people already know but lapses during urgency: simple calming educational awareness emails around going back to educating on the basics, don’t write your passwords down, don’t reuse common passwords, leverage good cyber hygiene, etc.”

Both Liska and Pollard recommend that CISOs remember their empathy in difficult times to help get their immediate staff through, especially in the face of cuts. “If you do have reduced staff, make sure you’re taking care of them and making sure they’re getting the proper time off and time away from the organization,” explains Liska. “Make sure you’re not overworking your staff and that you’re giving them proper time off, proper time away from keyboard even if they don’t necessarily want it. I know a lot of the younger people that I work with would rather work 24/7, but you need that mental break.”

“There is no definitive end in sight the way there is with other big disasters or economic events,” says Pollard. “That’s going to require endurance to keep your team motivated and focused. And it’s going to take empathy for your employees and their families and loved ones, your firm’s customers, and the other senior leaders you work with.”