The correlation between times of economic uncertainty and an uptick in cybercrime is well documented. The current cost-of-living crisis is no different. Criminals look to exploit the financial hardship of individuals and businesses alike with scams to lure unsuspecting victims.

Andy Robertson, Head of Cyber Security at Fujitsu UK&I, predicts that the current harsh economic environment and rumblings of a global recession will result in an increase in cybercrime. “A rise in phishing attacks always correlates to negative economic or social events and is focused on those that have the most to gain from the socially engineered messaging. At the same time, criminals face financial pressures and presumably are incentivised to work harder when times are tough.”

An alarming 39% of UK businesses are aware of a cyberattack in their systems over the past 12 months, according to the government’s Cyber Security Breaches Survey 2022, a figure that remains consistent with previous years of the survey. Yet, the effectiveness of their attacks is on the increase.

The most common threat encountered was phishing attempts (83%). Around one in five (21%) identified a more sophisticated attack type, such as a denial of service, malware, or ransomware attack. Despite its relatively low prevalence, respondents to the survey cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

“Ransomware attacks rank among the most effective cyber attacks on businesses and often have collateral damage far beyond the ransom itself,” says Ross Brewer, General Manager and Vice President of Europe, Middle East and Africa and Asia Pacific Japan for AttackIQ. “Ransomware incidents not only affect the business’s bottom line through potentially large payouts, like the $4.5m CWT Global fee paid by a US travel services company to the Ragnar Locker ransomware gang.

“It can also cause reputational damage, legal consequences, and result in the loss of data and business far beyond the immediate breach.”

Organisations must ensure that third parties also validate their own security controls and configurations and adopt similar up-to-date security strategies. This allows for organisations to know where their weaknesses are.

Calculating cybersecurity ROI

Brewer believes that firms must prioritise cybersecurity return on investment (ROI) when assessing their IT security budget. “Any economy in a state of unrest leaves companies open to exploitation by cybercriminals wanting to make quick money, making investment in cybersecurity even more prescient”.

ROI needs to be based on how much loss an organisation could avoid if a security system was breached, he says. “Investing in robust solutions is critical to mitigate risk. Companies that don't invest in new techniques are likely to pay a much higher price in the long run.” 

The average cost of a data breach is now estimated at around £3.5m according to IBM, and in regulated industries such as healthcare, finance and banking sectors, the costs can be even higher.

Cyber security needs to keep up with advancing cyber criminals

With hybrid working now mainstream, and cybercriminals becoming more sophisticated, so the risk of security breaches is increasing.

“Cybercrime threats are becoming increasingly sophisticated and heavily socially engineered, so they trick even the savviest of people these days,” warns Robertson. “What’s even more concerning is the recent advancements in attacker tooling that makes bypassing Multi Factor Authentication (MFA) protection easier for lesser skilled attackers, making the barrier to entering cybercrime even lower.

“The biggest cybercrime threats for individuals and businesses in 2022 are probably phishing scams and email threats. This often involves stealing credentials and the distribution of malware. Ransomware attacks are very popular among hackers to make some quick money and are mostly delivered through phishing.”

Robertson says the migration to the cloud and hybrid cloud platforms and services is a major rising risk. Some companies are not configuring cloud-based systems properly and that is opening them up to breaches. “There are still a lot of misconceptions about the effectiveness (and required configurations) of native cloud security controls, and this increases the attack surface and opportunity for criminals to exploit,” he says.

What investments has Fujitsu made in cybersecurity?

Fujitsu’s security investment - within Hybrid IT - is focused on four priorities over the short to medium term, which reflects the demand it is seeing across its client base. “These include our OT Security offering, Monitor, Detect and Respond Capability, Cloud Security Services and Virtual Edge capability, underpinning Security at the Edge,” says Robertson.

The other investment the company has made is to manage the skills shift from traditional standalone security to an increasingly interconnected landscape – hybrid working that relies on the cloud. In the past, Fujitsu had separate security consultants and cloud consultants such as Microsoft and Amazon Web Services experts. Now, there are increasing overlaps in skills between security services and application and cloud services. “This means it is no longer possible to decouple security from the cloud, so we are increasingly needing to upskill in the latest native cloud security controls sphere,” says Robertson.

This reinforces Brewer’s point to make sure that security for both native and hybrid cloud services are up to date, while also keeping a tab on third parties – a consideration ICAEW members should factor in if they want to keep their data airtight.

Take the steps to become more cyber secure

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. Readers should also visit ICAEW’s cyber security hub for further support in managing cyber risks.