Skip to main content


You are here:

Cybersecurity budgets fail to keep pace with intensifying threat landscape

It isn’t difficult to find evidence of the fast-growing cybersecurity risks that companies of all sizes and in all sectors now face. For example, as this article was being researched and written, one of Canada’s largest energy producers was crippled by a major cyberattack that took its point of sale systems, website, app, and internal messaging systems offline. Suncor Energy, which owns the Petro-Canada chain of over 1,500 retail gas stations, later confirmed customer information had been compromised. The attack reinforces the unsettling reality of cybersecurity in 2023: we no longer have to look far to find evidence of its spread. The impact is, literally, right in front of us, and not even global energy giants are immune.


The Suncor attack reflects the accelerating vulnerability of organizations in the infrastructure space – see Colonial Pipeline and JBS Foods for earlier examples of high-profile ransomware events that resulted in widespread consumer impact. It also comes on the heels of a warning from the Canadian Centre for Cyber Security (CCCS) that the oil and gas sector is increasingly being targeted by opportunistic cybercriminals.

Barely two months ago, the Globe & Mail newspaper reported on pro-Russian claims that they had successfully targeted gas pipeline infrastructure in Canada. While no victims were publicly identified and no evidence of a specific attack was ever released, the report sent shudders through the industry and renewed questions around whether enough was being done to counter future events.


The truth for organizations watching all these headlines and wondering how they might be affected is sobering: it’s a matter of when, not if, and recently published data from HackerOne paints a worrisome picture. Specifically, 75% of the companies surveyed said pressure to reduce security budgets via layoffs, hiring freezes, and cancelling investments in new or upgraded technology is compromising their ability to efficiently manage their cybersecurity infrastructure.

report from the Neustar International Security Council confirms the widening gap between cybersecurity funding and expanding threats. It goes on to say that 51% of organizations don’t devote enough funding to current or projected cybersecurity needs.

Over one-third – 35% – of respondents to the NISC report said their cybersecurity budgets were either static or shrinking. Of those, 44% said they were worried their organizations were at increased risk as a result. 60% said they were worried tightened budgets would limit their ability to implement new technologies and processes.

The timing for all this is particularly troubling, as Federal Bureau of Investigation data collected during the pandemic confirms cybersecurity worsens during times of economic distress.

According to the FBI’s 2020 Internet Crime Report, complaints of suspected internet crime almost doubled between 2019 and 2020, and reported losses topped $4.2 billion USD. Thanks to ongoing spikes in inflation, high interest rates, uncertain job market prospects, the Russian invasion of Ukraine, and ongoing global economic instability, the cybersecurity threat landscape is expected to worsen in the months and years to come.


Whoever the victim ultimately is, these types of attacks take advantage of the soft underbelly of cybersecurity – namely the fact that employees are often inadequately trained in recognizing the signs of the phishing attempts that almost always kickstart these events. Most organizations of any size and in any sector have historically under-resourced their cybersecurity competency – a reality made worse by the pandemic-fed explosion in remote and hybrid work.

A recent Hornetsecurity report said a third of all companies offered remote workers no cybersecurity training at all – despite the fact that 74% of employees had access to critical data.

Unfortunately, training knowledge workers to recognize a phishing attempt is sadly not as sexy as buying cool new machines or opening up a fancy new data center. Business leaders don’t always appreciate the business value of cybersecurity investments – or the risks incurred when those investments aren’t prioritized.

The pandemic added additional pressure on CIOs, CTOs and CSIOs, as they focused on keeping the lights on while employees transitioned, virtually overnight, to remote work. While technology leaders were making significant progress in recent years getting CEOs, CFOs, and COOs to appreciate the business value of cybersecurity investments, the pandemic abruptly shifted everyone’s attention elsewhere.


Ask any IT or business leader flat-out if cybersecurity investments are worthwhile and they will undoubtedly agree that they are. Yet, the data highlighting systemic underinvestment in cybersecurity continues to pile up. So, what’s the answer?

It’ll take more than a single blog article to answer that question – so stay tuned – but for starters, IT leaders must shift gears out of their pandemic-era focus of keeping the lights on and get back to reinforcing the business benefits investing in cybersecurity.

Organizations that do cybersecurity particularly well are those that don’t treat it as a unique discipline. By incorporating cybersecurity best practice into all facets of the business, it becomes easier to ensure all projects are properly resourced and are planned and deployed in a safe, sustainable manner.

Here at STEP Software, we don’t just develop software: we work with our business partners to understand their most pressing challenges, and then, design and deploy solutions accordingly. Cybersecurity isn’t just something to be tacked on; we build it into everything we do. We welcome the opportunity to have similar discussions with you.