Market Volatility and Downstream Security Implications

Due to the ongoing effects of COVID-19, supply chain issues, the war in Ukraine, and inflation near all-time highs, securities markets are fluctuating dramatically. In addition to undermining the peace of mind of investors and financial professionals, market volatility is predicted to influence and alter the cyber risk landscape. However, in times of market instability, organizations often operate under severe constraints or overreact to market changes, resulting in less resources for other priorities such as security. Yet, these are the times when it is most critical for firms to review and ready their security programs so they can prepare for an uncertain and changing future.

Risk implications

Threat actors thrive on instability and changing environments, such as the current market volatility. It is important that organizations understand the changing threat landscape so they can take steps to prepare and secure their organizations.

Greater room for employee error

During times of uncertainty, often management looks for ways to trim and reduce costs. This can translate into hiring freezes, and in more dire circumstances, layoffs. Yet, operating with an understaffed workforce has the potential to exacerbate employee burnout, which in turn can create additional cybersecurity vulnerabilities at an organization.  

Hiring freezes and layoffs place additional pressure and burdens on employees who remain at an organization, as they are left to fill the void and take on responsibilities that were previously not theirs. This can result in a variety of security implications for an organization. Overextended and burned-out employees typically do not have the time or energy to devote to cyber awareness trainings or follow cybersecurity best practices. Instead, they are more likely to cut corners and circumvent cybersecurity protocols. Likewise, burned out employees are more likely to commit errors due to feeling tired or because they are performing new or unfamiliar tasks due to staffing constraints.

Malicious insiders

Market volatility and its ramifications also have the potential to fuel malicious insiders to act against the organization. Financial distress, layoffs, and disgruntled employees have all been cited as primary motivations for malicious insiders to act. Confronted with inflationary prices at the grocery store, rising fuel prices, and falling asset values, employees who are struggling financially may be motivated to act against the organization for monetary gain. Others, who have been laid off or fear being laid off, may act out of revenge against the organization. Workplace policies which negatively impact employees may also provoke insiders to act maliciously against the organization. For example, carrying on with return to office (RTO) policies as fuel prices skyrocket may create a contentious environment which may trigger a disgruntled employee to act maliciously against the organization.

Higher attack success rates

Market volatility also has the potential to result in higher attack success rates due to organizations being forced to operate under atypical circumstances. As organizations respond to the market through restructuring, layoffs, and other cost trimming measures, this can create an unstable environment which bad actors can exploit, like what occurred during the initial outbreak of COVID-19 and the shift to remote work.

Consumed with responding to market changes and minimizing losses, leadership may be more distracted and less focused on cybersecurity concerns and threats. Likewise, organizations operating understaffed or with strained resources can also create an environment where errors are more likely to slip through the cracks and go unnoticed. 

Security budget implications

Alongside impacting an organization's security risks, the current market volatility will also influence how firms spend money on security. Periods of financial volatility and economic decline lead organizations to look for ways to trim their budgets. Organizations should spend time now thinking through how to manage and strategically spend security budgets during the forecasted uncertain times. The following provides key considerations for how organizations can manage security budgets in advance of potential cuts.

Look for redundant technical controls

Redundant security controls can be eliminated as a cost-cutting measure. Many security technologies have built in security features that tend to go unused by organizations. For example, Windows has its own free anti-virus, yet firms often buy and use other anti-virus software. Simplifying and condensing control suits can not only aid organizations in trimming security budgets, but also in strengthening their overall security posture, as simpler controls are easier for security and IT personnel (including managed service providers) to implement and manage.  

Build a risk quantification capability

To justify spending during tight budget times, organizations should develop a risk quantification capability which can be used to identify and prioritize risks based on their predicted probability of occurring and cost. Risk quantification helps organizations understand risks in monetary terms, allowing leaders to align cyber spend accordingly. In times of financial uncertainty, risk quantification can also be used to identify where security teams (or managed service providers) can make budget cuts without putting the organization at an elevated risk.  

Outsource activities for increased budget flexibility 

Protecting and monitoring an organization's networks is necessary regardless of the status of the financial market. Outsourcing security activities can help organizations meet immediate security needs while also providing increased budget flexibility to scale down spending in the event of budget cuts and scale it back up without the impact of internal expertise that would have been lost if layoffs had been used to cut costs.

Conclusion

While the full impact of the economic decline is still unknown, organizations can take actionable steps now to prepare for the future and limit its effects. By evaluating risks as well as how to strategically allocate and trim security budgets, organizations can more securely position themselves technologically and financially for the road ahead.

How we help

ACA Aponix^® can help organizations manage their cyber risk by offering best-in-class advisory services with seasoned cyber professionals who can bring not only their own expertise, but also best practices and insights from a vast peer network. Our services include:

• Business continuity plan and business impact analysis complete with robust policies, plans, and procedures to better protect your company from data breaches and efficiently recover from a cyber incident or significant business disruption.   
• Penetration testing and vulnerability assessments to identify network vulnerabilities that can help reduce the risk of a breach and associated financial, operational, and reputational losses.  
• Policy development to protect your sensitive data and critical systems, meet regulatory requirements, and set best practices into action. 
• Risk assessments to identify and remediate gaps in a firm’s current cybersecurity and regulatory state.  
• Support and advice to build and to assess an organization’s cybersecurity risk, identify cybersecurity program gaps, and draft and execute against a mitigation roadmap.   

For questions about this blog, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us.