In 2020, malware attacks increased by 358% compared to 2019. OpenLearn

Over a third (34%) of organisations across UK critical national infrastructure (CNI) anticipate a rise in cybercrime as a direct result of the current economic crisis, new research produced by cyber security experts Bridewell shows.

Bridwell's Cyber Security in Critical National Infrastructure Organisations: 2023 report, which surveyed 500 cyber security decision-makers in the UK, in the transport and aviation, utilities, finance, government, and communications sectors, found concern is particularly high in the utility sector. This included energy and gas, with 41 per cent of respondents predicting a surge in cybercrime as a result of financial hardship.

The findings come as the ongoing Russia-Ukraine war squeezes oil and gas flows to the UK, causing a spike in prices for fuel and food.

UK inflation slowed slightly last month but held stubbornly above 10 per cent, further fuelling a cost-of-living crisis despite an aggressive series of interest-rate hikes.

Food and housing costs including electricity and gas bills have soared in recent months - according to data collected by the British Retail Consortium (BRC), average shop prices are now 8.9 per cent higher than they were at this time a year ago. It is the highest rate ever recorded and represents a significant acceleration from the 8.4 per cent measured in February.

This inflation spike caused the Bank of England to raise interest rates for the 11th time in a row last month.

The UK's Conservative government, headed by Prime Minister Rishi Sunak, had last month unveiled a budget aimed at tackling a cost-of-living crisis - it has sparked widespread strikes as many wages fail to keep pace.

The impact the current economic crisis could have on cyber security is significant.

With the rising cost of living putting employees under an increased financial strain, over a fifth (21%) of CNI decision-makers now rank employee sabotage among the biggest risks to their organisation's IT environment. The mean number of security incidents relating to employee sabotage has already increased by 62 per cent within CNI over the last 12 months – from 13 instances per organisation to an average of 21.

A third (33%) of decision-makers also believe that the prevalence of phishing and social engineering attacks will grow due to the economic downturn, suggesting that threat actors could prey on employees' vulnerabilities and financial fears to gain illicit access to CNI data and systems.

This year, several high-profile businesses have already fallen victim to cyber-attacks.

In January alone, retailer JD Sports said that around 10 million people may have had their addresses, phone numbers and email addresses stolen in a hack, while Paypal announced that 35,000 client accounts were compromised in a credential-stuffing attack.

Man walking through office
Many businesses find that the rise in energy costs means cutting down in other areas of the business. Getty Images/iStockphoto

Anthony Young, Co-CEO at Bridewell, explains current economic pressures are making it easier for criminals to exploit the vulnerabilities of both employees and organisations.

"Reducing security budgets will exacerbate the issue", the security expert added.

A reported 65 per cent of CNI organisations are now seeing a reduction in their security budgets due to the economic downturn.

In the US, according to the Crunchbase Tech Layoffs Tracker, many organisations have already begun cutting back on both talent and resources to streamline their budgets in anticipation of a more challenging financial environment.

A report by Challenger, Gray & Christmas, Inc. shows that "job cuts announced by US-based employers increased 13 per cent to 33,843 in October 2022, the highest since February 2021."

However, Young warns against making further cuts in the cyber-security department.

"Now more than ever, decision-makers need to invest in strengthening their cyber defences from the inside out", he said.

How can businesses strengthen their defences?

According to David Nelson, Cybersecurity Product Lead at Maintel, organisations must put in place and update security infrastructure constantly, as one chink in the armour could lead to a killer blow for the entire company".

The best way to ensure security is to "reduce the time to detect, contain and mitigate breaches," said Nelson. He believes this is a key strategy given those trying to gain access are now very skilled in delivering multi-layered attacks using diversion techniques.

One new method cyber security experts are hopeful of utilising to reduce cybercrime is Artificial Intelligence.

Despite concerns over the use of artificial intelligence to compromise security systems, OpenAI models can use natural language processing to respond to user queries and coding questions instantaneously and in plain English, which has several noteworthy applications for the world of cyber security.

An example of this is Microsoft Security Copilot, a recently launched artificial intelligence-based security product that combines an advanced large language model (LLM) with a security-specific model. This security-specific makes use of an increasing range of skills that leverages Microsoft's unique global threat intelligence to provide an enterprise-grade security and privacy-compliant experience.

The tool makes cybersecurity operations more efficient, ultimately leading to better protection against cyber threats whilst also improving the efficiency of cybersecurity operations.

Bridewell's data also highlights the importance of the continuous education and training of employees to raise awareness of cyber security best practices.

Dave Page, Co-Founder, and Chief Strategy Officer at a digital ecosystem company, believes businesses must optimise their digital workplace in order to provide more frequent and higher quality training for employees.

Research shows the average annual amount of wasted time per employee due to "digital friction" can range from four to five days, but it can also be as high as thirty days or more.

This valuable lost time could instead be used for employee training and education, for example, which would boost employee morale, satisfaction, and output and improve knowledge of important issues such as cyber security.