Recession Proof Your Business in Five Steps: Cybersecurity Edition

With the rapid growth of inflation forcing consumers to cut costs, America is sinking into a recession. As a result, businesses are facing predictions of limited growth and uncertain financial gains. While typical recession measures lead to hiring freezes and layoffs or terminations, the post-pandemic economy and workforce are anything but typical. Existing staffing shortages and talent gaps will likely force businesses in many industries to seek other ways to cut costs. This means companies will seek new ways to effectively do business while limiting spending and cutting some costs altogether. 

Although individuals and businesses in many industries are feeling the pinch of an impending recession, cybercrime continues to grow. Not surprisingly, it's common for financial crimes to increase during economic downturns. However, it's easy to overlook the fact that most cybercrimes are financially motivated. Cybercrime rose 40% on average during the last recession in 2008. Internet fraud rose by 33% and a large surge in malware occurred within the same time frame. Even as the economy recovered, cybercrime rates failed to abate. As economic indicators point to the likelihood of a recession in 2022, the cybersecurity industry is already reeling from increased cybercrime growth related to technological growth in business, remote and IoT device use, and the effects of the global pandemic. 

In an economic environment that would usually demand cost cuts to areas that aren't considered core services, the current cybersecurity landscape demands continual attention to avoid the catastrophic costs related to a successful cyberattack. Still, as businesses face an economic downturn, they need to save money without sacrificing efficiency. Luckily, there are ways for organizations to improve their cybersecurity posture without increasing costs. This guide addresses the most prominent challenges in the cybersecurity industry and provides tips to help you maximize security efforts for your organization, avoid the effects of the skills gap, and combat budget concerns during a recession.

Issue 1. Cybersecurity Talent Shortage

The struggle for IT and security teams to attract and retain enough cybersecurity talent has been growing for a decade or more. While the global shortage of workers in cybersecurity has eased for the second year in a row, there are still 2.72 million unfilled positions in the industry. In the US, the total employed cybersecurity workforce consists of a little over a million people. Yet, there are still nearly 600,000 vacant positions, a figure estimated to grow significantly through 2025.

The cybersecurity talent shortage leads to a highly competitive recruitment environment that leaves roles empty for long periods of time. On average, cybersecurity roles take 21% longer to fill than other IT positions. Nearly two-thirds of companies report their teams are understaffed, and one in five say it takes more than six months to find qualified cybersecurity candidates for open positions.

While some measures are being taken to remove entry-level barriers and cross-train existing employees within organizations, there is no immediate solution for the cybersecurity talent shortage. As organizations recognize the dangers of inadequate cybersecurity and business networks expand to include remote work and IoT devices, the demand for cybersecurity professionals continues to grow. Yet, the skillset required for even entry-level analysts takes significant education and training.

Improving recruitment efforts will be even more difficult during a recession as company leaders tighten budgets and limit hiring. As a result, retention in cybersecurity will become more important than ever before.

Tips to Retain Cybersecurity Professionals

While cybersecurity is a demanding and potentially stressful profession, it's also interesting and dynamic, making it a desirable field for many. Although burnout in the industry is a current concern, job satisfaction is still high among cybersecurity professionals with 77% of surveyed respondents reporting they are satisfied or extremely satisfied with their jobs. Still, in a competitive hiring environment, many companies struggle to prevent employees from leaving for other opportunities. In order to retain employees, organizations will need to create a favorable work environment and provide compensation beyond high wages. These tips can help organizations improve retention of cybersecurity professionals.

• Recognize the value of remote work opportunities. When surveyed, only 15% of the global cybersecurity had any desire to return to the office full time.
• Address the difficulties facing short-staffed teams. Staff shortages result in heavier workloads for remaining professionals. Invest in automation and managed services to increase cybersecurity headcount without affecting your internal team.
• Create opportunities for advancement. 47% of cybersecurity professionals report limited promotion and development opportunities as the reason for leaving their job. Showing professionals that there are opportunities for advancement in the future can make them more likely to stay. The answer can be as simple as charting individualized career paths for future growth.
• Build a culture of appreciation for cybersecurity. 80% of cybersecurity professionals experience pushback when enforcing an organization's cyber security policy and 91% felt pressure to compromise security for business continuity. By educating all employees about the vital importance of cybersecurity, you can help build appreciation. 

Issue 2. Cybersecurity Skills Gap

While you might be thinking the talent shortage and the skills gap in the cybersecurity industry are two different terms for describing the same problem, these issues are distinctly different in cybersecurity. The cyberthreat landscape and the tools, technology, and methods required to address modern threats are constantly changing. As a result, cybersecurity professionals need ongoing education to maintain effective knowledge in the industry. However, heavy workloads, pandemic restrictions, and limited learning and development opportunities prevent cybersecurity professionals from seeking the additional training they need. 

A 2020 study revealed that 70% of organizations say that fewer than half of their cybersecurity applicants are well qualified. As organizations turn to professionals transitioning from other career fields as an answer to the talent shortage, the need for updated training becomes even more critical. Threat actors are continually expanding their knowledge of new technology and the ways they can exploit vulnerabilities to compromise business networks. In order to keep up with evolving threats, cybersecurity professionals need to stay current in the industry with ongoing education.

Tips to Stay Current in the Industry

Creating a culture of learning within an organization is the best way to generate evolving knowledge of the current cybersecurity landscape. This can be achieved by providing ongoing education for all employees about cybersecurity awareness and creating ways for cybersecurity professionals to advance industry knowledge. These tips can help cybersecurity professionals find different ways to stay current in the industry.

• Listen to industry podcasts. These top cybersecurity podcasts contain a wealth of knowledge from industry experts and IT employers.
• Offer ongoing training opportunities within the organization. Creating a culture of cybersecurity includes company-wide employee training and providing opportunities for cybersecurity teams. You can help internal cybersecurity professionals stay current by providing opportunities to gain new certifications and promoting cross-training within your organization. By educating all network users about best practices for improved cybersecurity, you can avoid pushback and lighten the load placed on cybersecurity professionals.
• Join a networking group. InfoSec networking groups offer partnerships to provide ongoing education about everything from compliance challenges and combatting evolving cybersecurity threats to effectively communicating security needs to the board of directors. Networks can be made up of professional associations and groups, LinkedIn groups, and meetups.
• Subscribe to dedicated cybersecurity blogs. While podcasts offer short bites of essential information, cybersecurity blogs are great for examining in-depth information about current threats and the tools and strategies to protect against them.
• Invest in services from an off-site SOC. Managed cybersecurity services provided by an experienced cybersecurity vendor include services from professionals in an off-site security operations center (SOC). When this external team works as an extension of your internal team, professionals can gain ongoing knowledge of new tools and techniques to protect against evolving threats.

Issue 3. Burnout

Cybersecurity is a profession carried out in high-stress environments that require long hours and extensive demands. Yet, burnout hasn't always been prevalent in the industry, Technological growth, increasing threats, and pandemic restrictions have placed heavier workloads on cybersecurity professionals and elevated stress, leading to an epidemic of burnout.

Cybersecurity burnout is growing at dangerous rates. Among professionals currently working in the industry, 51% experienced extreme stress or burnout in 2021, and 65% considered leaving their job because of job stress. Only 33% would recommend such a career to others and the same number would also likely discourage people from entering the industry. These numbers are particularly alarming when you consider the costs of turnover at such rates. When large numbers of overstressed workers leave the sector, the remaining professionals face bigger burdens leading to more burnout and more turnover. 

Finding a solution for burnout during a recession will require a careful examination of the root causes. While the pandemic fueled the reasons for burnout, many cybersecurity stressors are here to stay. Security professionals are facing more threats than ever before, larger networks with more endpoints, remote and hybrid work environments, long hours, and unrealistic on-call requirements. Yet, with a critical talent shortage in the industry and tightening budgets, the answer to the cycle of burnout isn't likely to be improved recruitment practices. 

Tips for Avoiding Burnout in Cybersecurity 

For many organizations, increasing cybersecurity headcount during a recession is simply an impossibility. Budget cuts combined with the competitive recruiting environment makes even retaining cybersecurity professionals a challenge. To avoid burnout and the turnover that will eventually follow, it's essential to take steps to eliminate specific burnout contributors. These tips can help overworked teams avoid burnout.

• Implement security automation. It's no secret that humans are a necessary component of effective cybersecurity. However, without security automation, you are wasting your team's vital skills. Implementing AI-enabled software makes cybersecurity faster, more scalable, less costly, more consistent, and less subject to human error. Automated data collection and alert prioritization with SIEM and automated orchestration and response with SOAR relieve cybersecurity professionals of redundant tasks. Security automation addresses alert fatigue and frees up valuable time for cybersecurity professionals to participate in high-value tasks, eliminating some of the major causes of cybersecurity burnout.
• Invest in outsourced solutions. Managed security solutions provided by experienced cybersecurity vendors provide valuable tools along with the support of an off-site SOC. As a result, organizations can choose the tasks they want to outsource and the level of assistance they need. Outsourced solutions can work in tandem with your existing cybersecurity efforts. Some of the most common offerings include managed or co-managed SIEM, managed SOC, and MDR. Outsourced solutions allow you to increase your cybersecurity headcount without affecting your internal team, and provide 24/7 network monitoring and incident response. As a result, overworked professionals are relieved of some cybersecurity burdens.
• Adopt a zero trust security model. Zero trust security requires every user and device to be validated before accessing an organizational network. Adopting such a policy requires specific infrastructure to allow continuous system monitoring and employee training to ensure all users understand best practices. Zero trust security improves regulatory compliance and eliminates vulnerabilities that can occur with credential theft or other internal attacks. More secure networks decrease the stress related to a system that is always vulnerable to attack.

Issue 4. Emerging Threats

The cyberthreat landscape is growing. Attacks are increasing in number, sophistication, and expense. 

Consider these statistics about the current state of the cyberthreat landscape

• Only 50% of US businesses have a cybersecurity plan in place.
• 30% of cybersecurity leaders say their budgets aren't sufficient to ensure proper cybersecurity.
• 44% of security experts say their growing use of partners and suppliers exposes them to significant security risks.
• 25% of security executives said the convergence of digital and physical systems like IoT devices increases security risks.
• 32% of businesses haven't changed their cybersecurity plan since the pandemic forced remote and hybrid operations.
• Cybercrime cost US businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyberattack in 2022.
• Software supply chain attacks hit three out of five companies in 2021, and 82% of CIOs believe their software supply chains are vulnerable.
• Businesses suffered 50% more attack attempts per week in 2021 as compared to 2020.
• The education sector sustained the most attacks in 2021.
• $43 billion has been lost through business email compromise (BEC) attacks since 2016. There has been a 65% increase recorded in identified global losses between July 2019 and December 2021.

Organizations across all sectors are ill-prepared to face sophisticated threats launched by organized criminal groups with substantial funding. Cybercrime is an organized business that promotes the sale of tools and methods to conduct successful attacks. Yet, a recession means that businesses will have less funding to support increased cybersecurity efforts.

Tips for Addressing Growing Threats without Increasing Costs

Even as bad actors consistently gather and develop new tactics to infiltrate business networks, cybersecurity experts develop new strategies to defend against new attacks. With the right tools, knowledge, and strategies, businesses and organizations can protect networks against evolving threats. These tips can help protect against some of the most prevalent cybersecurity threats affecting businesses in 2022.

• Protect against supply chain attacks with UEBA and automated alerts and incident response. Software supply chain attacks increased 650% in 2021. These attacks use your trust in outside partners or providers to access your network. SIEM with user entity and behavior analytics (UEBA) recognizes suspicious behavior from trusted users and devices to alert you of a potential attack and take action to quarantine the threat before damage occurs.
• Invest in effective email security. 84% of all attacks in 2021 were distributed by email. A secure email gateway, multi-factor identification, and user best practices are your first line of defense against email attacks. Email security software can help eliminate attacks before they reach their target while a multilayered approach to email security identifies threats that have already been introduced to the system.
• Use a multi-layered cybersecurity approach to avoid data breaches. 92% of data breaches in the first quarter of 2022 were due to cyberattacks. To protect your company's valuable data against cyberattacks, assign privileges as needed, conduct frequent vulnerability scans, and conduct employee awareness training.
• Secure remote devices with integrated endpoint protection It's estimated that 24% of organizations will remain fully remote and 53% will be hybrid. 79% of businesses say the shift to hybrid or remote work has negatively affected their organization's cybersecurity. Endpoint detection and response (EDR) works to detect and respond to threats that target remote devices in the same way your central network is protected. MDR that includes EDR provides protection for your entire network, including remote devices. 
• Detect and prevent ransomware. Ransomware attacks increased by 13% in 2022, a jump greater than the last 5 years combined. By the time your organization receives a ransom demand, it's too late to protect your organization's data. Managed detection and response (MDR) uses advanced tools and human expertise to recognize and halt ransomware attacks before bad actors reach their objective. By quarantining the threat before ransomware is deployed, your network remains safe.
• Educate network users to protect against human error. The human element accounts for 82% of breaches over the past year. Circumstances like urgency, deadlines, peer-to-peer trust, and fear make humans prone to error. Modern phishing, BEC, and other attacks that prey on human nature are sophisticated and effective. Ongoing training is the best way to keep your employees from becoming the weakest link in your cybersecurity efforts.

Issue 5. Budget Concerns

Pandemic losses combined with an impending recession create a perfect storm for budget cuts in the coming months. While cybersecurity is recognized as one of the most pressing business concerns, shrinking budgets make it difficult for cybersecurity leaders to retain the funds they have or obtain the funds they need. Furthermore, company leaders often don't see cybersecurity in the same light as cybersecurity professionals. While 92% of business executives stated that cyber resilience is integrated into enterprise risk management strategies, only 55% of security-focused leaders surveyed agreed with the statement.

Translating the dangers of the current landscape and the importance of cybersecurity to professionals outside the security sector can be difficult. When organizations have invested in tools with limited ROI or cybersecurity teams are battling the effects of tool sprawl, justifying a strong cybersecurity budget becomes even more challenging.

Tips to Make Cybersecurity a Priority at Your Next Budget Meeting

It's essential to go into a budget meeting prepared with essential statistics about new cybersecurity threats and how modern cybersecurity tools can improve your organization's security posture while cutting overall costs. These tips can help you prepare for your next budget meeting.

• Read our guide to Securing your Cybersecurity Budget.
• Compare the true costs of a cybersecurity breach with the costs of effective cybersecurity.
• Provide a transparent explanation of how modern technology and cybersecurity approaches provide more effective cybersecurity and cut costs.

Don't Make Cybersecurity a Casualty of Recession

When businesses face the demands of a recession, budget cuts are soon to follow. Yet, the modern cybersecurity landscape means your organization can't afford to cut corners. With the right tools and services, you can cut cybersecurity costs without cutting corners that will make your organization vulnerable to attack. 

At BitLyft, it's our goal to make effective cybersecurity obtainable for companies and organizations of all sizes across all industries. Check out our resources page to find more information about how modern cybersecurity tools can help you improve your company's cybersecurity posture, how to create an achievable cybersecurity budget, and more.

Confused about how you can improve your cybersecurity posture during a recession? We're here to help. Contact us to speak to an expert about your cybersecurity needs and how you can maintain or improve your cybersecurity posture during a recession.