In August of 2020, the privately-owned New Zealand Stock Exchange (NZX) experienced a series of major Distributed Denial of Service (DDoS) attacks lasting longer than a week, causing severe disruptions to debt, equities and derivatives markets. The exchange was initially forced to suspend trading completely, because it could not fulfil its continuous disclosure obligations as its website was down.
The NZX attacks were highly sophisticated; according to ZDNet, “in the case of NZX, the group has repeatedly targeted Spark, the stock exchange’s hosting provider, which has also resulted in downtime for the provider’s other customers… Furthermore, the group also showed its sophistication by often changing the protocols that were abused for the DDoS attacks, keeping defenders on their toes as to how the next attack would manifest itself, and the protections they needed to roll out.” This is a prime example of why organizations need the latest generation of automated, real-time DDoS mitigation, to successfully defend against such multi-vector DDoS attacks.
However, the fallout from those attacks is not quite over for NZX because, as BankInfoSecurity reported, the nation’s financial regulator, Financial Markets Authority, recently issued a searing report that said the company “lacked sufficient technology resources and had inadequate IT security, including poor network design and unprotected infrastructure.” Fortunately for NZX, at least the government agency didn’t impose any fines on the company for its failure to adequately protect its services.
Observers might posit that a nation’s stock exchange is part of its critical infrastructure, because the economic ramifications of such an attack could be much more than just an inconvenience. That is why some countries are imposing government fines for those organizations that provide critical national infrastructure services — such as electricity, water, energy, transport, and healthcare — and that fail to protect themselves from service outages due to cyberattacks. For example, the European Union’s Network and Information Systems (NIS) Directive includes such penalties, resulting in organizations possibly facing fines of £17m or four percent of their global turnover. The intention is that the threat of fines will motivate organizations to improve their security measures and resilience against cyberattacks. Whether scrutiny comes from a regulatory agency, or its customers, an organization’s bottom line is sure to be impacted.
The NZX incident clearly demonstrates the need for DDoS protection, because it shows that even a large financial services firm can be severely impacted. This particular attack happened to make the headlines but, in reality, there are thousands of DDoS attacks targeting organizations around the globe, every single day. Companies with so much at stake need to be vigilant and proactive when it comes to cybersecurity protection, including DDoS mitigation. Of the many cyber threats that exist, DDoS attacks are some of the easiest and least expensive for cyber criminals to launch. Many traditional DDoS mitigation solutions struggle to detect and mitigate attacks that use the latest techniques, which usually results in downtime. The only way to ensure complete protection is by investing in a real-time always-on DDoS solution that defends in seconds at the edge of your network.