Recently a friend survived a serious car accident unhurt, thanks to her car's airbags. I recalled the incident during discussions with a customer's management.
They had not suffered cyber attacks for ages, and began to wonder whether they still needed DDoS protection.
But just as someone would never remove the airbags from their car simply because they have never had a serious accident, so they should not cut back on cyber defences just because they hadn't had a major attack in a while.
Although the probability of attack is low, the risks are severe.
According to Radware's 2019-2020 Global Application and Network Security Report, 33% of organisations reported being attacked by DDoS in the prior year.
While this is a threatening figure, considered from the alternative perspective, it means that two-thirds of organisations experienced no DDoS attacks in the past 12 months.
Stretch the statistic back, and it means that in the past two years, about 45% of organisations did not experience an attack, 30% didn't in the past three years, and 20% have not seen an attack in four years. Even further back, about one in eight organisations has not been attacked over the past five years.
This has led many organisations to wonder why they still need to go through the difficulty and expense of deploying dedicated DDoS protections.
The problem is that like car accidents, DDoS attacks may occur infrequently, but once they happen the damages are severe. Ultimately, most organisations' revenue depends on customers being able to reach their services.
According to a study by Gartner, the average cost of IT network downtime is $5,600 per minute, or almost $300,000 on average. Although these figures may vary by the size of the organisation, the number of affected assets and the severity of the outage, it demonstrates the very real damages that can occur as a result of outages.
As customers consume more and more services online, an organisation's website and network become mission-critical assets, and any downtime will lead to significant losses.
Damages as a result of a DDoS attack can be direct or indirect:
- Direct loss of revenue – if a website or application is generating revenue regularly, then any loss of availability will cause immediate revenue losses. For example, if a website generates $1m a day, then every hour of downtime, on average, will cause over $40,000 in damages.
- Loss of productivity – for organisations that rely on online services, such as email, scheduling, storage, CRM or databases, any loss of availability to any of these services will result directly in loss of productivity and lost workdays.
- SLA obligations – for applications and services that are bound by service commitments, any downtime can lead to an SLA breach, resulting in refunding customers for lost services, granting service credits and even potentially facing lawsuits.
- Damage to brand – in a world that is becoming ever more connected, availability is increasingly tied to a company's brand and identity. So any loss of availability resulting from a cyber attack can impact a company's brand and reputation. Radware's 2018 Application Security Report showed that 43% of companies had experienced reputation loss as a result of a cyber attack.
- Loss of customers – one of the biggest potential damages of a successful DDoS attack is loss of customers. This can be either direct loss (i.e., of customers who choose to abandon a company as a result of a cyber-attack), or indirect (i.e., of potential customers who are unable to reach the company and lost business opportunities). Either way, this is a key source of damage.
Like many hazards in life, protection against DDoS involves balancing risk vs. probability. Most people have never been involved in a serious car accident, or had their house burn down. Yet people still install airbags in our cars and buy insurance for their homes.
This is because while such events occur infrequently, the resulting damages are so catastrophic and far-reaching that people are willing to bear the ‘peacetime' costs of airbags and insurance, so they are available in times of need.
The same logic applies to DDoS protection. While some organisations face constant attack, others are targeted infrequently. Yet the threat always exists, and when an attack occurs, the risks and costs of being unprotected, or having inadequate protections in place, far outweigh the costs of maintaining DDoS protection even at times people might think they don't need it.
Even though most adults have never been involved in a serious car accident, studies have shown that car safety is the first consideration in buying a new car. This is because in the unlikely event of a serious crash, the driver's life will depend on it.
Likewise, service availability is the lifeline on which many organisations depend to serve customers and generate revenue.