When the Going Gets Tough, Cybercrime Gets Going
March 30, 2020 • RBS
The ongoing “Coronavirus” (COVID-19) pandemic has had a profound impact on the world economy in a short time, especially within the United States where unemployment has risen sharply. While much is still unknown, many analysts are predicting that the market decline will continue before we see any kind of meaningful or sustained recovery.
In the United States, a major part of the economic damage already done has been from COVID-19’s impact due to “social distancing” and “shelter in place” mandates. The unemployment rate has risen significantly, from 211,000 to 3.3 million, surpassing the initial projections of 2 million. By some forecasts “as many as 5 million jobs could be lost in April 2020 alone” and the worst case could send the unemployment rate soaring from 3.5% to north of 10%.
Even though Congress and The White House just pushed out a stimulus package, many economists seem to agree that we are currently on track, or already experiencing, the next recession, with some even believing that it could become a depression.
“We are going into a global recession. We are going to see a spread of economic sudden stops.”Mohamed El-Erian, Allianz Chief Economic Advisor
While not everyone agrees on the exact impact, or how long it will last, there are clearly substantial concerns about just how quickly the economy will be able to recover once COVID-19 is under control.
Cybercrime Increases During a Recession
The past has shown a correlation between recession and cybercrime during and before the 2008 – 2009 Great Recession. News publications reported that fraud on the Internet increased by 33% during the last recession, with the broken economy and increased digitization making data more vulnerable than ever.
This is more than just an opinion, backed up with a few links. In conducting our research on this topic we uncovered a substantial amount of information that provides some very compelling insights. Here are just some of the key points and references:
U.S. recession fuels crime rise, police chiefs say, Reuters, January 2009.
“Crime has increased during every recession since the late 1950s, sociologists said.”
“There has long been debate over the connection between crime and the economy, but criminologists, sociologists and police chiefs interviewed by Reuters in October predicted a rise in crimes as the United States sinks deeper into recession.”Ross Colvin
Economic recession to spur ‘dramatic increase’ in cybercrime, TechTarget, February 2009.
“Bad times always bring a rise in crime. But this economic recession is setting us up for a wave of cybercrime. The broken economy, combined with increased digitization as retail and operations move online and ever-more sophisticated hackers, means more data is more vulnerable than ever. That was the warning from former federal prosecutor and securities fraud attorney Orin Snyder, speaking at a data security panel at yesterday’s LegalTech conference in New York.”Linda Tucci
Report says online crime surging in recession, Reuters, March 2009.
“Fraud on the internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said on Monday.”Jason Szep
Recession ‘adds to boom in cybercrime’, Telegraph, August 2009.
“The recession is adding to a boom in cybercrime as computer-literate criminals in poorer countries turn their hand to electronic scams, British researchers said.”
“Criminals there can take advantage of cybercrime opportunities, and the current global recession will likely increase this trend still further,” said Prof Rush.”The Telegraph
How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession, BlackHat 2009 Turbo Talk Whitepaper.
“We asked the question: Will cyber crime increase in a time of global economic recession? One study by KPMG found that many enterprises believed that the recession put their business at greater risk from out-of-work IT workers tempted to join the criminal underground to make ends meet (Kirk 2009).”
“Economic theory predicts that the global recession will probably increase the amount of cyber crime as the recession deepens. This could result from a variety of causes an increase in attacks on more vulnerable and desperate people from those with cyber skills joining the cyber criminal ranks for needed income; and a decreased focus on and investment in computer security as a result of fewer resources.”Peter Guerra
The same factors and trends from the 2009 timeframe are even more present now in 2020: global economic distress, increased widespread digitization, and an increase of potentially exposed confidential data. Sadly, even though a vast majority of industries are struggling in today’s economy, it isn’t a new concept that cybercrime itself is recession-proof.
The Perfect Conditions for Cyberattacks
Whether we are in, or heading for, a recession doesn’t matter. Economic hardship historically guarantees that organizations will face increased cyberattacks.
In happier times, just a few short months ago, we wrote that PSIRT and other security teams are often caught in a Catch-22 situation, wherein a successful job creates the perception that there is less need for a security team.
As such, IT jobs not considered critical (perhaps even some security programs) are often the first to be reviewed to be cut during times of economic hardship in order to save money.
The cycle is as follows:
- Economic hardship prompts organizations to reduce or even cut “non-essential” programs and personnel to save money;
- Organization hasn’t experienced a data breach or unauthorized compromise (the result of an effective security team), so IT and security teams are deemed non-essential and are downsized;
- Malicious attackers who were previously foiled now have increased opportunities to infiltrate systems due to a lack of staffing and focus;
- Organization suffers an expensive or embarrassing data breach and reflexively hires additional security personnel.
As financial pressures continue to mount, and unemployment numbers increase, organizations will need to work hard to ensure that necessary IT and cybersecurity personnel are not among them, and that the proper resources are allocated to their security intelligence programs. This is especially true during a time like this.
As more organizations are forced to temporarily shutter their brick-and-mortar operations, more people are shifting their work and purchasing online, putting substantial strain on the Internet. Security is not and should not be viewed as an unnecessary expense.
In today’s business world, security is a required cost of doing business at minimum to meet customer’s privacy expectations and meet regulatory requirements. Cutting security budgets increases organizational risk in ways that might not seem readily apparent, and doing so may have a long-lasting impact.
The Unseen Dangers
Many organizations have been forced to rapidly turn to Virtual Private Networks (VPNs) as they implement work from home policies to help slow the spread of COVID-19. However, doing so gives malicious attackers more opportunities to compromise systems.
While remote working isn’t new, endpoints for many organizations have shifted dramatically, with much of the workforce moving to unmonitored personal systems, giving attackers a new vector to gain a foothold. Security Monitoring in this kind of decentralized environment was already considered daunting and had caused issues for those that had been working for years to solve the problems. So organizations newly having to deal with these challenges, while also potentially implementing widespread cyber security cuts, will not be able to effectively understand or remediate their vulnerabilities and may not have full visibility into machines being used for corporate functions.
Attackers thrive off of heightened emotions and targets of opportunity, so employees now coping with school closings and other unplanned events are more likely to be distracted. Even with the best intentions, less attention will be given to phone calls, instant messages, and emails. That suspicious link may be even more likely to get clicked on, and that abnormal system behavior may be missed while dealing with family issues, or pets and kids running around the house. As such, the number of COVID-19 related phishing attacks has been growing, and this is just the start.
VPNs (And Security Solutions) Themselves May be Vulnerable
In the midst of this pandemic, we are starting to see technology vendors and even security companies offering complementary use of their products. However, organizations need to fully assess vendor security, and ensure they fully review new products while not taking shortcuts on established policies, especially in times of increased exposure. Like VPNs, every other type of application also has vulnerabilities, and you need your security team to perform proper vetting.
Another Upcoming Storm
Aside from COVID-19, there is another urgent event coming which requires an intact and fully functioning IT and cyber security program: the Vulnerability Fujiwhara Effect. Whether you are working in IT or not, you’re probably familiar with Microsoft’s Patch Tuesday, and several other major vendors have adopted that same cadence for their own vulnerability disclosures.
We mentioned at the start of this year that there are three such perfect storms (Microsoft and Oracle) coming in 2020. Our VulnDB team published 325 new vulnerability reports to our customers and updated over 300 entries in the last storm that occurred on January 14th. The same event will occur again on April 14th and July 14th, smack dab in the middle of this pandemic.
If IT and security programs are cut in response to COVID-19 as some organizations desperately try to reduce expenses, they will have tremendous difficulty managing the risks affecting their critical assets. Even well-staffed teams take weeks handling Patch Tuesday on a good release cycle, so a neutered security team may not be able to handle it at all.
Better Data Is More Important Than Ever
Security is not an unnecessary expense, and while the exact cost of security incidents is the cause of some debate, there’s no doubt that cutting security budgets could inflict a terrible impact on the entire organization’s bottom line, especially if a data breach occurs. Informed decisions are more vital than ever, and you can only make proper decisions if you have the proper intelligence.
Organizations need to do their best in these trying times to ensure that security budgets remain funded and that IT personnel have the resources they need to properly mitigate risks. There are increased threats and nonstop vulnerabilities being disclosed, so when there are reduced IT resources, it requires a laser focus to ensure the time and money is spent addressing, analyzing and fixing the most important issues for the most important assets. The corporate landscape is currently primed for cyberattack and organizations need to prepare accordingly.
Just remember, when the going gets tough, cybercrime gets going.
On March 31st, we will be hosting a webinar to help risk management professionals prepare for what lies ahead in this strange new world we find ourselves in. No nonsense, no product demo, we want this to be relevant and useful to the cyber security community at this difficult time.