In 2023, layoffs, hiring freezes, and tightening budgets are top-of-mind for many employers.
2022 was a difficult year for the world economy; and, in 2023, the aftershocks keep coming.
It might feel like there’s news of another company laying off a significant part of its workforce every week, and that feeling isn’t too far off from what’s projected. Over 60% of business leaders surveyed by ResumeBuilder say they are likely to have layoffs in 2023, with 57% of these respondents estimating that they will need to lay off 30% or more of their workforce.
Recession fears are still very much in play, and companies are doing what they can to weather the storm. Even if organizations aren’t laying off employees, they are freezing hiring - 70% of the respondents said they are likely to halt hiring in 2023.
Corporate budgets are tightening, which makes expanding departments and increasing resources difficult. In fact, the opposite is happening in some cases. Salaries, bonuses, and gifts are also on the potential chopping block for about one-third of companies, with 34% planning to reduce or get rid of bonuses or holiday gifts, and 27% reducing salaries. With 64% of employees saying they want to see significant increases in their salary and benefits in their next job, pulling benefits could hurt both retention and recruitment efforts.
How does economic uncertainty affect cybersecurity departments?
When organizations are trying to pinch every penny, it can be hard to fund cybersecurity initiatives. Adding to the tech stack, building internal skills, or using the current time and resources to stay up-to-date on the ever-evolving threat landscape can all be pieces that take a backseat in favor of keeping daily operations rolling.
Add to the picture that more fervent attackers come out in times of recession and economic turmoil, and IT leaders can feel like they’re playing a constant game of catch-up working to properly secure their environment. However, all is not lost. Let’s understand the impacts of this downturn on cyber security and what can be done.
Recessions do result in increased attacks
Past recessions have increased financial-related criminal activity
Criminals recognize moments of vulnerability as key times to strike. We didn’t see that just with the pandemic, but also in the 2008 recession which created an incentive for criminals to develop novel threats. The FBI reported a 22.3% increase in reports of online crime between 2008 and 2009, and it didn’t stop there. For two years after the 2009 peak of the recession, cybercriminal activity increased by 40%.
Across the board, financial-related crime increases in periods of economic downturn. We saw this trend in action with violent crime reaching a 40-year low in 2010 juxtaposed against shoplifting and high-value theft increasing during the same period.
Budget cuts and reduced IT spending also increase the risks of cybercrime
If an organization hasn’t fallen victim to cybercrime, it’s easy to believe that spending money on preventative or other proactive measures might be overkill. Small businesses may think they won’t be a target; so why spend the extra money when cutting budgets is on the agenda?
But making a choice to scrimp on cybersecurity shouldn’t be done lightly. Cutting budgets and reducing IT spending can increase the risk of getting compromised. Attackers know defenses are down and will be happy to take full advantage.
Businesses with fewer than 1,000 employees are just as much at risk as larger organizations, experiencing almost half (46%) of all cyber breaches and the vast majority (82%) of ransomware attacks in 2021. These attacks can cause irreversible damage, leading 60% of small businesses to close their doors within 6 months. Leaving your business less secure can lead to larger financial consequences than keeping your budget intact, or even increasing it in the face of a possible recession, it can take you out of business!
Insider threats are a bigger risk when massive layoffs are present
The list of major layoffs is long and growing, with General Motors and Eventbrite leading the charge in March 2023, joining Twitter, Amazon, Google, 3M, Microsoft, PayPal, Zoom, and many other companies reporting layoffs since the end of 2022. When employees feel betrayed, insider threats become a bigger risk. DTEX Systems’ 2022 Insider Risk Report found that 56% of organizations experienced insider data theft after employees left or joined other companies.
IT leaders will be expected to show the value/ROI of their department
While faced with impending budget cuts and layoffs, IT leaders will feel the pressure to show the value of their departments and the return on investment their work brings to the company. All spending and budgets will be scrutinized, including the cost of managing teams, technology, subscriptions, and SaaS apps used. IT departments that can’t demonstrate the value of all elements may have to cut necessary items from their budget.
IT teams may also be asked to push off certain upgrades or onboarding clients to save on money and resources, keeping the department from progressing or opening the door to vulnerabilities.
Even though it can be frustrating to explain the value of certain IT pieces to those not as close to the work, it can also be an opportunity for you, as a leader, to reframe or rework your entire cybersecurity approach and propose a lean strategy that can maximize efforts while being run by a smaller department.
In essence, your business needs to understand the change in risk and not ignore it
Ignoring something doesn’t make it go away. As we’ve outlined above, the following factors will elevate the risk of a potential exposure or attack:
- Recessions lead to an increase in financial-related crime, both online and offline.
- Companies that cut resources will be less protected amidst rising financial crime.
- When rates of cybercrime go up, organizations that don’t have something in place to detect and respond to threats will be at the greatest risk.
To prepare your business for anything the economy brings, you should be prepared with cyber insurance, incident response, technology, and tools that keep you proactive in case of an attack.
Tips for an effective cybersecurity strategy
Communicate “spend” as an investment
Reframing spending can make a big difference. Instead of discussing a cybersecurity strategy in terms of additional costs, position it as an investment. Data breaches are costly. In fact, 83% of companies experience data breaches, some more than once, and the average cost to a company in the United States is $9.44 million. By reducing the risk of an attack or elevating the speed of recovery, companies can see an ROI on their spending.
Say you decide to wait and spend the money later. Delaying implementation of cybersecurity measures can lead to increased outlays down the road. If you experience an attack when you’re not covered, you’ll have to incur costs to get things back to normal. This can also lead to higher cyber insurance premiums when you decide to improve your cybersecurity posture. The sooner you start beefing up your security, the more cost-effective it will be.
Focus on amplifying your current team
You may not be in the market to bring on anyone new; so, instead of thinking about expansion, focus on making the most of the team you have. When exploring new technology and vendors to use for improving cybersecurity, find ways you can amplify your team’s current efforts or automate their tasks. This also includes keeping it simple - you don’t want to add too many tools that will result in alert fatigue or cost a lot of extra time with vendor and tool management.
Managed security service providers (MSSPs) are designed to serve as cost-effective outsourced cybersecurity teams for companies looking to improve their cybersecurity posture without expanding their internal teams. A general trend during recessions is to outsource instead of hire to reduce costs. During the 2008 recession, median spending on outsourcing increased from 3.8% of total spending in 2008 to 6.1% in 2009, and rose again to 7.1% in 2010.
MSSPs provide detection and response services, and some even bring their own technology stack that can help centralize your cybersecurity department. For companies that don’t want to compromise on cybersecurity, MSSPs can serve as a great alternative.
SolCyber offers a managed security program, delivered as a service designed for IT departments who don’t have the resources or budget for big cybersecurity departments. Our goal is to simplify cybersecurity and get you up and running quickly, ensuring full protection within 30 days so you can get back to business. SolCyber’s simple and easy-to-understand billing facilitates quick approvals while ensuring that forecasting spend for the future can be done easily. We also offer partnerships with cyber insurance companies and incident response (IR) providers for comprehensive cyber resilience.
To learn more about our fiscally-friendly services, talk to us today.