The top concern of the 1,000 IT professionals surveyed in February of this year was the impact DDoS attacks have on customer service, with 51% listing it as their greatest concern.
More than 300 respondents reported they had been victims of DDoS attacks, with 35% of those attacks lasting more than 24 hours and 11% lasting more than a week.
“You have a one in three chance of a DDoS attack. It is something that IT teams and companies need to prepare for”, observed Ted Swearingen, director of the Neustar Security Operations Center.
For IT professionals in the retail industry, 67% who had experienced a DDoS attack pegged the costs of website outages at more $100,000 per hour, equating to losses of $2 million a day.
“This is a significant amount of money. People don’t realize there are a lot of other costs associated with DDoS, such as brand damage”, Swearingen told Infosecurity. “With people looking at you as a prospective provider of some service and they see that you had a DDoS attack and your service went down, they might look somewhere else”, he added.
Overall, the survey showed that a significant number of companies face the risks of DDoS attacks, yet few have solutions designed to combat those attacks, with many relying solely on firewalls and intrusion detection systems. Less than 5% of respondents have a purpose-built DDoS mitigation product, the survey found.
“We have seen instances were firewalls become a bottleneck. They aren’t made to handle that type of volume and that many connections per second. So eventually they fall over. It only takes the one weakest link to take down your website”, he said.
This explains why so many attacks last days. Without adequate protection, companies are unable to prevent losses from adding up. While many respondents are aware of the risks to their customer experience and public trust, they haven’t taken the next step to safeguard their reputation, the survey found.
“DDoS attacks are becoming larger and more numerous, they are becoming more complex, and they are lasting longer”, Swearingen said. “Instead of having attackers attack you with one type of vector, they attack you with three or four vectors. You may be able to mitigate one, but you can’t mitigate all four of them”, he added.