Last month, I had the honor to host a workshop at the R3: Resilience, Response & Recovery Summit in London, with two of my fellow Corero colleagues: Sean Newman and Peter Cutler. The conference was rich with conversations about response and recovery strategies and the legal and financial implications for cyber breaches. The attendees came from both the private and public sector, representing a variety of industries.
During the event we surveyed 62 of the attendees, on the subject of distributed denial of service (DDoS) attacks. Some of the more interesting statistics that emerged from our short survey were as follows:
- 34% of the respondents said their organization had a DDoS attack in the last 12 months
- 44% of those that experienced a DDoS attack said their organization suffered degraded performance, and 32% said they had suffered a service outage
- 25% of respondents said their DDoS solution takes anywhere between 5 and 20 minutes to mitigate an attack; and 12% said it takes more than 20 minutes
- 46% believed their organization has adequate DDoS protection, whereas 28% felt they do not
- 54% of survey respondents had not heard of the UK's new NIS Regulations, and 95% didn’t know the maximum penalty that can be imposed
It’s significant that more than one third of the audience polled had suffered a DDoS attack in the past year, and nearly one third of those that did said they had suffered a service outage. Interestingly, over a third of respondents also have DDoS protection systems that—from Corero’s experience—take far too long (5 minutes, or longer) to engage mitigation. A DDoS attack can do a lot of damage, sometimes in a few seconds, but certainly in minutes. Cyber criminals even use DDoS to mask other cyberattacks, installing ransomware or other malware while the organization is distracted. Downtime is bad for business, as well as a threat to network security. In a world that does its business online, any amount of downtime is unacceptable.
It’s worrisome that more than half of the respondents had not heard of the UK’s NIS Regulations. Similar to the EU’s General Data Protection Regulation (GDPR), which aims to protect the personal data of EU residents, the NIS legislation aims to ensure the resilience of the essential services upon which EU society depends. Under this law, which went into effect on 10th May 2018, the UK can impose penalties against critical infrastructure organizations (healthcare, electricity, water, energy, digital and transportation operators) whose failure to “take appropriate and proportionate technical and organizational measures to manage risks posed to the security of the network and information systems” result in a loss of service. These organizations now face penalties of up to £17m if they suffer a severe loss of service.
Overall, the survey results indicated that a significant number of organizations are operating without adequate DDoS protection, and some are not even aware that they could face heavy fines for loss of service. Such a lack of awareness does not bode well for their futures. If organizations want to be more resilient against cyber-attacks, and make the Internet a safer place for all, they must proactively defend against the most prominent cyber-attacks, including DDoS, rather than just react to them.
Corero has provided best-in-class, innovative DDoS protection solutions for over a decade; to learn how you can protect your organization from the DDoS threat, contact us.