Executive boards need to understand the severity of potential DDoS attacks to their company networks and prepare accordingly. Ashley Stephenson, CTO, for Corero Network Security, discusses the importance of communicating this to the C-suite for them to respond appropriately with adequate security budgets.
Being in the security department isn’t easy. In fact, corporate security practitioners often find themselves in the unfortunate position of being critical to the survival of an organisation and yet seen as a necessary money drain or expense.
This conflict is often apparent when it comes to talking to executives. As the holders of the purse strings, they can grant or deny the budget that allows a security department to do its job well or constrains them to perform poorly. Understanding how to convince executives of the department’s relevance is one of a security professional’s key challenges in today’s enterprise.
Fortunately, things have gotten easier in recent years. Understanding a corporation’s dependence on reliable Internet connections along with the advent of headline-grabbing security breaches, and punishing regulatory compliance regimes have made executives more aware and more focused on cybersecurity.
However, it can still be difficult to win them over, especially when talking about some of the less understood threats – like DDoS.
Executive blindness to DDoS
Businesses are already convinced of the threat of ransomware, but have a harder time getting to grips with the unique risks of DDoS. Meanwhile, DDoS is becoming an ever more relevant security risk to businesses and increasingly threatens bottom lines and innovation within the enterprise.
Several trends have increased the gravity of DDoS attacks against business in recent years. The first is the interminable expansion of the digital enterprise. Technologies like the cloud, the IoT and mass remote working have fundamentally changed the shape of the enterprise network, expanding it beyond the reach of traditional DDoS defences and fracturing the attack surface. This has created a wide variety of exploitable attack vectors for which traditional security controls have not kept up.
The second is our ever deepening reliance on cloud connectivity. When that connectivity is cut – enterprises that depend on connected computer systems and services become incapacitated.
Ransomware victims have experienced this first hand and many enterprises have been prepared to pay exorbitant ransoms in order to merely restore the operations of their businesses.
DDoS poses a similar threat. Enterprises rely on connectivity to a varied extent – and it makes perfect sense that DDoS gangs target sectors which are more reliant on constant connectivity as a core part of their business. Internet Service Providers (ISPs), cloud-hosting services, telecommunications companies, VoIP services and online video gaming companies have all drifted into the crosshairs of Ransom DDoS extortionists.
Getting through to the C-suite
It is this important point which executive boards must come to realise if they are to respond appropriately with adequate security budgets. The DDoS threats arrayed against them are evolving in parallel with the changes in enterprise IT. For their part, security practitioners need to talk to executives about the growing DDoS threat in a language they can understand.
General facts, figures and case studies will all be useful here – as will giving them an understanding of the specific risks your organisation faces. Primarily, however, successfully explaining DDoS to the board means drawing a straight line between defence of the network and defence of the bottom line. There are four key points to keep in mind.
1. How DDoS is a threat to your organisation – specifically, are you a likely target
An executive might understand the general threat of a DDoS attack but to drive it home, they need to know how their particular organisation may get hit.
As we’ve mentioned, DDoS extortion targets connectivity-dependent businesses. That connectivity is of particular value and thus concern, to industries like telecommunications, Internet Service Providers, online gaming, VoIP service and cloud hosts. That point can be forcefully underlined if your particular organisation is one of these sectors.
However, connectivity is an asset on which we all increasingly rely. Mass remote work is now the norm for many and the cloud is an asset which most cannot do without. These are the kinds of vectors a DDoS gang will paralyse in an attack. Understanding where those sensitivities lie and how they might hamstring an organisation will help executives understand the real threat that DDoS poses.
2. How is DDoS a threat to revenue?
Even if executives don’t understand the risk in terms of digital infrastructure overloads or gigabit per second floods, they will understand the punishing effect of downtime.
That is what DDoS aims to accomplish – it is designed to cause downtime. It immobilises its victim’s business, causing them to spend time and resources to get their systems back online. That downtime sends shockwaves through an organisation to affect sales, marketing, customer support and more, thus endangering revenue streams throughout the organisation.
There are also the attendant follow-on losses that come along with many cyberattacks, including damages to brand reputation, compliance penalties and more.
3. DDoS and ransomware are getting closer
Ransomware is one of the most well-known cyberthreats out there. Executives understand the risk it poses pretty well and it can be a useful reference point. One could note, for example, how similar ransomware and ransom DDoS tactics have gotten in recent years – whether it be through DDoS-extortion attacks such as the 2020 Telenor attack, or Ransomware gangs’ use of DDoS such as the HelloKitty gang – the tactics, if not the technology, of ransom DDoS attacks are often strikingly similar to ransomware and can wreak similar havoc.
4. DDoS threatens future innovation
Finally, executives need to understand that if they don’t update their security defences, the organisation’s ability to innovate and scale will also be at risk. The connectivity which modern organisations rely on – like remote working and IoT – is a new soft underbelly for a DDoS attack. A well-placed attack can also cripple an organisation’s internal ability to function.
Furthermore, attackers are evolving their methods to defeat traditional DDoS solutions. Short duration attacks have become the norm in DDoS, currently accounting for 85% of attacks. Their quick timing allows them to dodge legacy detection and mitigation DDoS solutions, doing most of their damage before any alarm can be raised or response mobilised.
This necessitates a change in the ways in which we protect ourselves. Many, however, are still wed to generic security protection. A recent Corero survey found that 58% of employers still use outdated DDoS solutions, including relying on corporate firewalls. Executives need to know that if they want to scale and innovate safely, then their legacy protections may simply be inadequate.
Communicating this important security situation to people who don’t immediately understand the gravity of the DDoS landscape can feel like an uphill struggle. However, by translating your understanding of technical threat into business risk – executives can be made to understand how DDoS defence means revenue protection and more.