The dangers of DDoS overconfidence for European businesses
Is your organisation properly equipped to deal with a DDoS attack?
With cyber-attacks hitting headlines on an almost daily basis, from ransomware to data breaches and increasingly, DDoS attacks, there is no doubt that today’s cybercriminals are becoming more sophisticated. Take the Mirai botnet attack that targeted Dyn in October 2016, for instance. This high-profile attack caused the likes of Twitter, Amazon and even the BBC to be undermined, and is a perfect example of how cybercriminals are taking advantage of connected devices to carry out cyber-attacks en masse. The recent news of the Reaper botnet only adds fuel to fire, and is said to have the potential to carry out even bigger DDoS attacks than the Mirai botnet of last year.
The threat of DDoS attacks for European businesses across all industries is real. But despite warnings in the media, many businesses are confident in their preparedness to withstand a DDoS attack. But reality doesn’t paint the same pretty picture, and businesses’ overconfidence in their DDoS mitigation could actually be putting them in great danger.
The rise of DDoS
Our own research shows it isn’t just the number of DDoS attacks that is growing – the likelihood of being attacked is also on the rise. In 2014, the number of DDoS attacks grew by just 29% year on year, where attacks were mostly targeted at the online gaming industry. But in 2015, attacks grew by an astounding 200% – and these attacks were aimed at the online gaming industry, as well as public sector bodies and financial services too.
Businesses don’t just need to take into account the volume of attacks – the size of attacks is also growing at a somewhat alarming rate. While the largest detected attack in the first half of 2015 was 21Gbps, in 2016, the largest attack was almost three times the size at 58.8 Gbps.
With DDoS attacks becoming a bigger threat to businesses than ever before, CDNetworks investigated the preparedness, investment and confidence of more than 300 businesses across the UK and DACH. While the research shows that European businesses are taking notice, and 64% are set to increase their investment in DDoS mitigation in the next 12 months, the danger is that this investment will simply not be enough.
More investment, less risk?
Even though 79% of businesses think the likelihood of their infrastructure being attacked is likely to almost certain, many believe they aren’t actually at risk of suffering a DDoS attack. In fact, the combination of widespread, recent, and growing investment in DDoS mitigation has led to an overwhelming confidence, and 83% of respondents are either confident, or very confident, in both their current DDoS mitigation arrangements and with how resilient they would be in two years’ time.
But not everyone holds these same high levels of confidence. There is some underlying doubt from a minority (44%) of businesses who harbour doubts about their preparedness, and believe they are currently underinvesting in DDoS mitigation.
The dangers of overconfidence
While recent high-profile DDoS attacks seem to have motivated businesses to invest in DDoS mitigation technologies, when we take a closer look at the number of attacks that have taken place, this confidence is in fact, misplaced. When asked about the frequency of DDoS attacks, 86% confirmed they had suffered a DDoS attack in the last 12 months.
But if confidence is to be proven to be complacency, the number of attacks isn’t what is important – it’s the number of successful attacks that is key. And despite the amount of money companies are investing, and the levels of confidence they have in their DDoS mitigation technology, more than half of respondents (54%) suffered at least one successful attack in the past year. Which means this is more than a contrast of preparedness versus reality.
The complacency of businesses is also echoed in how they believe DDoS will impact them. In short, until you have experienced a successful attack, you cannot really appreciate the damage it can do to your business.
The administrative level is largely oblivious to how their reputation may be affected by failing to protect their business from a DDoS attack, while the C-suite cannot deny it would impact their view of the IT team, and were most likely to rate the impact as catastrophic. Understandably, the heads of the IT department felt the damage most keenly, being most convinced that their department’s reputation would suffer some or serious impact. IT heads therefore need to bear in mind that DDoS attacks are not only commercially damaging, but they will also affect their own prospects.
Ensuring DDoS mitigation
The good news is that enterprises can ensure their DDoS mitigation is not under-provisioned. Firstly, they need to perform a vulnerability test to identify where gaps lie in their systems and network defences. An extensive review of a network’s strengths and weaknesses will show where vulnerabilities lie, and determine whether the DDoS mitigation tools they have in place are fit for purpose. A vulnerability test will highlight the services and technology needed to ensure businesses are protected against DDoS.
Businesses also need to prepare for the worst. The lucky few that have not yet fallen victim to DDoS attacks are the ones that underestimate their severity– and regardless of confidence, business continuity must be a key part of DDoS planning. DDoS attacks can have catastrophic financial, legal, regulatory and brand reputation effects, so aside from the technical requirements of duplicating information, and ensuring recovery time objectives and recovery point objectives match business needs, there are also procedural requirements businesses need to consider. Identifying the crisis team and any security partners immediately for example, as well as having a communications plan in place, will ensure partners, employees, customers and the media are kept informed if an attack does take place.
Finally, with cybercriminal activity becoming more sophisticated, businesses need to be prepared in case a DDoS attack comes with a ransom demand. In such circumstances, paying cybercriminals is not recommended. Instead, businesses should consider having insurance policies in place. There will be some instances where cybercriminals win, and having insurance against data breaches and other types of attack will help to overcome some of the damage.