In today's digital world, there's no question that security must be a constant priority for companies — whether it's protecting internal corporate information or their products and solutions.
However, when recessionary forces are lurking, security for products and solutions that are offered or sold to end users, such as Web or mobile applications, needs to become an even greater focus. While it might seem counterintuitive in a climate of cost-cutting to spend on security — essentially looked at as a checklist item — the alternative is a world of pain and more costs.
According to Accenture, cyberattacks grew by 31% between 2020 and 2021. This was right as the US was grappling with the COVID-19 pandemic and the negative impact it had on the nation's economy. Now, signs may be pointing to another downturn in the economy this year, something reflected by recent layoffs in the industry.
As a result of these economic factors, the reduction in staff and budgets can create the perfect window for cybercriminals to take advantage while companies focus on continuing to operate and sustain themselves.
A Window of Opportunity for Cybercriminals
During down economic periods, companies place a greater focus on generating top-line revenue and allot more staff and resources to accomplish it. This means that, in 2023, companies will prioritize the enhancement of applications by creating new features and functionalities that can drive sales.
Unfortunately, with the majority of staff and resources allocated to application enhancement, security can often fall by the wayside. Particularly, keeping everything updated with the latest security practices.
This deprioritization creates a window of opportunity for cybercriminals to take advantage of flaws or bugs in applications. For example, the Synopsys Cybersecurity Research Center (CyRC) recently highlighted a number of vulnerabilities in a few applications available through various app stores. The CyRC stated that it "uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities" in the apps Lazy Mouse, Telepad, and PC Keyboard. These vulnerabilities could lead to the gathering of sensitive information, such as login credentials, through the exploitation of keystrokes.
Although we don't know the full impact of these vulnerabilities, these are great examples of the types of flaws or bugs that could fall off the list of priorities for many companies.
Application Security Is Nonnegotiable
With any scenario in which an application can be compromised by cybercriminals, there's enormous potential for reputational damage and revenue generation. That's why it's nonnegotiable.
Regardless of whether we're in a recessionary period or not, companies must continue prioritizing all application security activities on the same level as revenue. These activities include:
- Vulnerability and penetration testing: Some of the first security activities that are often deprioritized in times of economic downturn are vulnerability and penetration testing. While a company may conduct this testing every few months during a normal economic period, it may decrease that rate to focus IT and engineering staff efforts on building new features and functionalities. This means there's opportunity for cybercriminals to attack an application that's not kept up to date to determine where its security vulnerabilities lie. It's critical for companies to maintain or increase their testing windows during down economic periods as cyber activities tend to trend up.
- Risk assessments: When developing or enhancing applications, there are often company-created custom features and functionalities as well as those they integrated through a third party. Features and functionalities like this can include payments (Apple Pay, Google Pay, Stripe, PayPal, etc.), access (Facebook or Google login, etc.), biometrics, and more. As with vulnerability and penetration testing, companies must conduct regular risk assessments that include any third-party additions with which they work or integrate. The vulnerabilities inherent to these third parties have the potential to become issues for their business, too.
- Privacy protection: Applications, especially those that are geared toward consumers as the end users, are particularly vulnerable to cyberattacks. Companies must continue to implement the processes and protocols that ensure the safety and encryption of user information.
- Bug bounty programs: Historically, many technology companies or companies that offer applications and software host bug bounty programs that help to identify bugs or flaws. It's important for companies to continue investing in these types of programs that offer compensation to developers for their detections because, as mentioned earlier, flaws and bugs open a window for cybercriminals to exploit applications.
Keep Priorities in Sight
As companies look ahead and the economy continues to change, it's important they don't lose sight of their priorities. Yes, it's important to continue to find new revenue streams through applications to keep companies profitable. However, that doesn't have to come at the expense of application security.