How can understanding the current U.S. economic environment enhance cybersecurity risk visibility?

Since the 1940s, the Misery Index has been an informal measurement of the state of the economy adding the rate of inflation to the rate of unemployment. 

In April of 2020, the peak of the pandemic brought about a 15.03 rating on the index due to a 14.7% unemployment rate. Since then, we’ve seen a decrease in unemployment, down to 3.6%, yet inflation continues to rise, leading to the current state of 12.66.

While this data only refers to inflation and unemployment rates, could the information be leveraged as a cybersecurity risk indicator?

--------------------------------------------------------------------------------------------------------------

Inherent Risks and the Increasing Misery Index 

Various researchers have evidenced a causal link between misery indices and crime rates (Report). When goods and services cost more, and with employment opportunities sparse, more crimes are committed. This is often out of financial necessity or due to moral slippage in a turbulent economic environment. With misery indices impacting crime rates, could that mean that cybercrime too will rise in this economic climate?

The misery index often climbs with all too familiar headlines such as large-scale layoffs, company shutdowns, etc. In an environment such as this, the allure to explore malicious activities can be too great to resist. Consider a highly-skilled, newly unemployed, IT professional struggling to feed their family after being laid off due to cost-cutting… With inflation continuing to rise they may choose to apply their technical skillset to a potentially lucrative opportunity with cybercrime. While this scenario is born from necessity, consider the effect of a high misery index climate on motivation. Layoffs and salary cuts as a result of inflation increases create animosity towards employers.  Disgruntled staff know where the weaknesses are in their (former) employer’s environment and are well positioned to exploit these vulnerabilities for illicit gains. While these high-skilled threats could cause significant harm, these are just the tip of the iceberg when it comes to the total population of would-be attackers. Research has shown that in 2022, the number one threat action leading to a data breach was phishing: a low-tech, relatively cheap attack method. It is likely that these sorts of attacks will continue to dominate the threat landscape, particularly in a high misery index environment, due to the low cost of execution and high motivation.

When the above-ground economy stalls, the underground economy swells.

Cybercrime is one of the lowest prosecuted crimes. According to the World Economic Forum, the likelihood that a cybercrime entity is detected and prosecuted in the U.S. is estimated as low as 0.05%. Not only is it less likely you’ll be caught, but there is a less-obvious human impact compared to more violent crimes such as robbery and property damage (also common crimes in high misery index climates), which may otherwise have deterred the less morally-reprehensible criminal.

The majority of data breaches in 2021 were from social engineering with Phishing, Pretexting, and BEC (Business Email Compromise) amongst the most common attack vectors.  According to the FBI’s Internet Crime Complaint Center (IC3), Phishing is by far the most common, accounting for approximately 38% of all cybercrime complaints in 2021. These attack types are relatively simple to undertake with a small investment and the ROI may be significant. When the cost-of-living increases, the interest in a lucrative “side hustle” is likely to increase, despite the illegality. BEC alone accounted for $2.4b in losses! Individuals that may be motivated by revenge or frustration following layoffs and salary cuts, would find themselves alongside other opportunists and criminals latching onto the next potential threat scenario (COVID-19, Ukraine, Tax season, etc.). A recent report from the IC3 states that cybercrime losses have increased almost 500% over the last 5 years (Report). One thing is certain: cybercrime is not going anywhere.

With so few obstacles to partake and increasing financial pressure, it’s not difficult to understand that misery really does love company, but unfortunately, it’s likely to be criminal in nature. 

Given the increased likelihood of cybercrime in a high-misery environment, now is a good time to review your current security posture, cyber capabilities, and threat modeling, with a special focus on Training and Awareness and Insider Threat Management. Equally as important to this is to ensure any cost reduction activities are appropriately considered ensuring key security capabilities are maintained. AlixPartners’ Cyber practice is supporting a range of clients across every industry to review and improve their security capabilities in response to the ever-changing cybersecurity threat landscape.

In this current climate, could your organization benefit from leveraging macro-economic indices for risk analysis?