Over a third (35%) of critical national infrastructure (CNI) security leaders believe the economic downturn is forcing employees to turn to data theft and sabotage, according to Bridewell Consulting.
The cybersecurity consultancy polled 1025 individuals with responsibility for cybersecurity in UK and US CNI firms across the communications, utilities, finance, government and transport and aviation sectors.
Many believe the cost-of-living crisis may be driving insiders at these firms to do the bidding of cybercrime groups in return for a big pay-off.
Their suspicions are backed by hard evidence: the financial services sector was hit worse than any other industry sector studied for the report last year. Organizations in the vertical suffered on average 28 security incidents caused by employee sabotage over the previous 12 months, as well as 28 instances of data theft or misuse.
Overall, the number of employee sabotage incidents at CNI firms surged by 62% year-on-year, according to the report.
Challenging economic conditions are also putting pressure on CNI firms in other ways. Almost two-thirds (65%) of UK respondents said they had seen “some reduction” or a “significant reduction” in their cybersecurity budget, rising to 73% of US respondents.
The communications sector has been impacted the least by these cuts, with almost half (48%) claiming to have seen no change in security budgets. At the other end of the spectrum, the transport and aviation (73%) and utilities sectors (69%) experienced the greatest falls. Utilities also includes energy, oil and gas companies.
“The threat of insider sabotage has always been high across CNI, but current economic pressures are making it easier for criminals to exploit the vulnerabilities of both employees and organizations. Reducing security budgets will exacerbate the issue,” argued Bridewell co-CEO, Anthony Young.
“Decision makers need to invest in strengthening their cyber-defenses from the inside out. This should encompass the robust monitoring and testing of systems and access controls, investment in data loss prevention, and the continuous education and training of employees to raise awareness of cybersecurity best practices.