As our businesses continue to digitise, and an increasing number of services are delivered via the cloud, we tend to have very low tolerance for downtime.
“Distributed Denial of Service (DDoS) attacks can rip straight into the heart of the modern digital enterprise, pulling down our mission-critical systems and leaving firms unable to operate,” says Darren Anstee, chief security technologist at Arbor Networks.
For cloud and hosting companies, the stakes are even higher. These types of companies carry the biggest risk as they effectively aggregate the risk of all their cloud customers – so that a DDoS attack on one customer in their environment can potentially affect other users.
But Anstee explains that decisions about investing in a high-quality DDoS defence system are often considered in the context of the basic financial impact:
- The cost of identifying, mitigating and recovering from an attack
- The lost value due to service interruptions
- The potential impact of customer frustration
- The SLA penalties and other contractual impacts
New dimension to ROI… A marketing opportunity?
However, as we try to build a business case for investing in DDoS solutions, there is an additional dimension that’s often not considered:
“Remember that the threats of DDoS attacks are rising to prominence, consistently ranking among the most important network security issues. Whether you’re a cloud provider offering hosted services, or an end-user of digital services operating in a value chain, your customers, partners, staff and other stakeholders will increasingly make decisions based on the resilience of your architecture.”
Customers will start flocking to competitors if your services go down. Potential talent will be less drawn to you if you’re a victim of a high-profile DDoS attack (or even if your website just happens to be down when they do a background check on you).
On the other side of the coin, he says, if your digital infrastructure is 100 percent resilient, always-on, and always providing a great quality of service, then you’re able to promote this as a brand attribute.
“In the past, security may not have seemed like something on which you could hinge a brand promise. But if you have the right tools, to guarantee services will never go down, then you can elevate yourself from the pack by emphasising your strong network and information security.”
It’s time to benchmark DDoS protection investment against more than simply the operational cost of recovering from an attack.
Anstee says Arbor Networks’ ROI calculator has been developed to understand the ‘total cost’ of a breach – across the dimensions of operational costs, revenue loss, brand damage, financial penalties, customer frustration, competitive disadvantage, and more.
This is then overlaid with scenario-planning based on the likelihood of attacks (of varying durations and intensities) based on industry research. The result is that DDoS protection can be coloured in a very practical light – showing the total expected cost of DDoS breaches over a certain period.
“From there, it becomes easier to compare the costs of investing in DDoS protection solutions, with the costs of expected breaches if no protection is in-place,” he adds.
Multi-vector and application-layer DDoS attacks are only gaining in popularity, as attackers descend upon the many businesses out there that do not have dedicated DDoS protection.
While some businesses mistakenly believe that they can rely on other areas of their security estate, today’s attacks are highly-complex – combining volumetric, application-layer and state exhaustion techniques, and leveraging armies of compromised botnet devices – and they can only be countered by dedicated DDoS protection.
The next wave of DDoS attacks could become even more sophisticated and difficult to handle, and the effects on unprotected businesses could include prolonged downtime and greater costs to recover.
As the threat landscape escalates, every buyer (from procurement experts to everyday consumers) becomes more aware of the importance of security and uptime. Above all else, people are looking for high-quality digital services that simply never fail, delivered securely and with great care for privacy.
“Make sure your brand is able to stand up and be counted, as these are factored into the decision-making process,” adds Anstee.
By Darren Anstee, chief security technologist at Arbor Networks.