Maintaining cybersecurity spending during a down economy

Matt Lee, Pax8 Senior Director of Security and Compliance
Pax8 Academy

My advice as a security professional and former MSP.

The economic market as we know it looks to be taking a downturn after a long period of bullishness. When markets go down, cybersecurity can take a hit as transformative projects are some of the first things to be removed from the budget. With a bear market upon us, I believe we’re at a great turning point in our discipline. I want to share my thoughts with you on how our industry is going to be changing and how you can make sure that your company is protected from the threats that could rear their ugly heads, especially if internal spending appears to be in danger.

What cyberthreats look like in a down market

Something that I have been asked is if cyberattacks increase in a down market — either due to more desperation or knowledge of a company’s downturn in spending. They don’t. In my opinion, cyberattacks are already in a space with so much growth and capability, that the increase would only be a tiny blip on the background of wide-scale attacks. For example, if you take a look over at doubleextortion.com, you’ll notice that events really blew up in 2019, a time of great economic prosperity, and have been rising ever since.

The craft of creating cyberthreats is well-honed and distributed, and threat actors come from many different directions — ranging from small garage band-style hackers to large groups backed by powerful nation-states.

In short, the coming economic downturn will be the first where we already have a lot of these threats out there, and we don’t really know what’s going to happen. What I can say is that there will certainly be vulnerabilities out there.

We just recently had news of a new Microsoft Exchange vulnerability that threw some of the cybersecurity community into a fit, but if you read the articles and look closely, the vulnerability only exists if an organization hasn’t covered ProxyShell and ProxyLogon, which was from 2021. Companies still don’t have their bases covered, and it’s going to lead to loss, especially when facing highly advanced threat actors.

This level of vulnerability is only going to get worse in an economic downturn, as companies are more likely to drop cybersecurity spending or drop projects on their plan of action and milestones (POAM). When those are dropped, even more things in their network become vulnerable, and the cuts in cybersecurity spending end up being the stick they get whacked with.

Cybersecurity is going to take more than just meeting compliance standards

Don’t get me wrong, having standards for cybersecurity is a good thing, and companies being compliant with those laws and standards is also good, but it isn’t enough. When companies blindly follow regulatory compliance standards, they are putting themselves in a system of haves and have-nots. Just meeting government regulations firmly puts organizations in the have-nots camp.

There is a major difference between what you write on paper that sounds amazing and actual, functional security. As an example, let’s say I write a security policy for my home that states when I go to bed, I lock my door and turn on my security alarm. That sounds super simple, and like it would be reasonably effective. However, what I didn’t cover were stipulations that my alarm has to cover all zones. I didn’t even write that my lock has to work — or that the door functions as an effective barrier at all.

At the end of the day, security is operations — nothing more, nothing less. By just checking the box of security and leaving it as is, organizations are putting themselves at real risk. The danger of looking at compliance as the end-all, be-all of cybersecurity means that organizations stop trying to iterate and improve. This can happen in a down market because doing the legal bare minimum is a tempting way to save costs. But the lack of consistent operations and betterment can lead to some incredibly negative outcomes.

Professionalism is the trend for a down market

Something that I find really hopeful, and a trend that is quickly emerging in the cybersecurity space, is a sense of professionalism and standardized frameworks for what good security is. We’re finally abandoning our “wild west phase” and developing bodies of knowledge that point to great practices at every level of business. No longer is cybersecurity just about being a smart guy in a room advocating for stronger practices — organizations everywhere, especially SMBs, are starting to embrace frameworks like NIST, CSF, and CIS. It’s these bodies of knowledge that help cybersecurity professionals point to established best practices and be able to sell to their organizations while iterating and improving upon them.

For MSPs educating their clients, we’re starting to see them use these frameworks as referential objects instead of using things they made themselves. Now they’re able to look their clients in the eye and say we’re going down this path because these are known and proven tactics that reduce cyber risk more than anything else. Following a body of knowledge shows that we’re really starting to see increased professionalism in our world.

We can look at the transition to a more professional cybersecurity environment by drawing parallels to American medicine from the 1700s up to the modern day. At the start, doctors knew how to attach leeches and amputate limbs without an anesthetic. But as the system grew, doctors started to understand what certain herbs did, and eventually we got the American Medical Association. Suddenly there was a shared body of knowledge, and standards and procedures that were proven to lead to better outcomes. On top of that, certification boards were created, apprenticeship models ironed out, and academic models were created to produce top-quality medical professionals. This is where cybersecurity is headed. The way things are right now, all you need to do to be a cybersecurity person is to say you are and grab a few certifications. That’s it. Luckily, the industry is changing for the better.

Organizations can take steps right now to protect and improve themselves

There are steps that companies can take right now to protect themselves. Companies need to start deeply adopting identity centrism, and many of the SaaS products out there from lines of business solutions like Salesforce, and those from other major providers like Microsoft and AWS can help. Ideally, what organizations should be doing is purchasing security products that are closer to what a startup would have.

If you started a company tomorrow, is there any chance you’d buy a server, or even a server in Azure? Unless there’s a highly specialized reason for your business, there’s no point. Especially as an MSP, SaaS models allow you to set up your systems so that every client is only one script difference away. It allows you to turn your offering into a scalable and easily deployable infrastructure to help you mitigate risk.

There’s a good reason for ensuring that you’re as secure as you say you are

There are a couple more major risks in the cybersecurity market looming for industry professionals, and among them is one that could turn organizations completely on their heads. There is going to be a change in cybersecurity insurance that will be a factor in this downturn economy. Most insurance companies work on actuarial data, which is a proven data and knowledge set for when things will break, and when things will die. When it comes to cybersecurity, however, they didn’t know what they were doing. Insurance companies had been making bets for several years at a very high level because they didn’t have the data, and they’ve been losing their shorts. There was a very famous case with Merck and AIG where there was a fight over who should pay for the damages done by the NotPetya attacks. AIG lost that case for $1.4 billion.

Insurance companies took notice of this and started to immediately tighten their policies. Now, for organizations, a downturn in cybersecurity spending could lead to a subrogation risk. If you as an MSP write down you have MFA and you’ve met certain standards, it could lead to risk. If the project you claim to have done for your client isn’t implemented well, wasn’t done, or the project was in transformation, it could lead to your client suing your organization to pay for their claim.

As we talked about before, there’s a major difference between just checking the boxes and ensuring that your security works. The more you do just the bare minimum, the higher risk there is for you. If the reality of what you’re doing isn’t the same as what you say you’re doing, there’s bound to be trouble. In other words, you need to talk the talk and walk the walk.

If you think that insurance companies are bad enough, MSPs will have to start worrying about the US Department of Justice (DOJ) coming after them. The DOJ has come out recently with the news that they’re going to start suing companies for not upholding their contracts based on the False Claims Act. What the DOJ is looking for is organizations that haven’t done what they said they would do. Let’s take patching, for example, and suing those companies for breach of contract. These lawsuits financially incentivize internal whistleblowers to expose breaches of contract.

Let’s say I work for an organization that isn’t following through on its patching for a major client. I could call the DOJ and say they’re lying about their contract, and I have irrefutable proof of it. My role is done — the DOJ takes over from an investigative and prosecutorial standpoint. If they find the company guilty of wrongdoing, I would earn 15% of what they made from suing that company. If you’re in any kind of market where your client might not have the maturity to know exactly what they’re buying, the DOJ is essentially keeping tabs on you by incentivizing your employees to blow the whistle. This is why MSPs in particular must keep up with their cybersecurity spend in a down market.

How MSP cybersecurity professionals can ensure projects don’t get cut

When you’re in a down market, cybersecurity measures, especially new projects, could be some of the first things to get cut. It’s critical to be able to convince your C-Suite and key stakeholders that the investment is worth it, which can be a major challenge. To do that, you’re going to need to articulate the business cases better on two sides: reward and risk.

On the reward side, you can talk about how adopting newer technologies, such as cloud models and shared responsibility models, can lead to a faster business capacity and better scalability. At the same time, you have to be able to communicate the opposite — talk to them about the risks and what is changing in terms of regulatory landmarks. You can talk about how the US Congress recently defined what an MSP is and how the DOJ is going after companies for breaches. If you want to convince them, you have to make them aware that there is both a carrot and a stick.

The landscape of cybersecurity is changing, both due to trends that were happening before this potential economic downturn, and because of the downturn itself. At the end of the day, now is not the time to be dropping cybersecurity spending. Instead, it’s time to start developing a system of consistent iteration and improvement.

Advance your cybersecurity knowledge with instructor-led courses at Pax8 Academy.

Explore Pax8 Academy