Most small to mid-sized businesses would balk at the idea of spending the equivalent of an employee’s salary to cover the costs of a short-lived cyber attack. Yet that’s just what many SMBs do. And according to a recent report, certain types of SMBs could face even higher security-related expenses down the road.
Technology security company Kaspersky Lab says distributed denial-of-service (DDoS) attacks cost SMBs an average of $52,000 per incident, even though the majority of these attacks last no more than a few hours. Those are two of the surprising statistics from the firm’s Global IT Security Risks Survey 2014 – Distributed Denial of Service (DDoS) Attacks.
The costs include short-term and long-term responses to DDoS attacks, including expenses to hire security consultants, costs related to temporary loss of access to business-critical information, and costs for new secure software and IT infrastructure.
Smarten up, e-commerce
But one type of company seems especially likely to face post-attack payouts: the straightforward e-commerce website. According to Kaspersky, e-commerce operators are among the most popular DDoS targets, but the least likely to protect themselves from attacks. Only 19% of the e-commerce firms in Kaspersky’s survey said ensuring continuity of service for business-critical systems is a top priority. As Kaspersky says, this is “strange given that their entire business model depends on being able to process online transactions.”
Are e-commerce firms kidding themselves? They seem to be acting as if DDoS isn’t a concern for them when it is. Unless they focus more on protection, they may jump from being the one of the most-popular targets to the most popular.
Hey IT: duck!
For now, IT and technology companies are the top target. Financial firms, on the other hand, are the lowest priority for DDoS users. That’s an eye-opener. We often hear that hackers are keen to attack financial targets, to steal financial data and sell it on the black market. But when it comes to DDoS attacks, technology companies are the prime focus.
The recent attack on the homepage of PC manufacturer Lenovo might help explain why. As Forbes reported, a purported member of the Lizard Squad hacktivist community took responsibility for the defacement, which replaced pictures of sleek new laptops with pictures of teenagers while the song “Breaking Free” from the movie High School Musical played in the background. This electronic protest followed news that the Superfish adware on Lenovo’s laptops “could be used to spy on the encrypted communications of anyone running the software,” as Engadget put it.
Although it wasn’t a DDoS attack, the alleged Lizard Squad act illustrates the fact that hackers are well aware of the work that IT companies undertake – and if that work annoys them, they swiftly punish businesses.
Compared to Trojan Horses and keystroke loggers, DDoS attacks are a light threat. Users can’t deploy DDoS storms to steal data or penetrate networks. But as Kaspersky points out, hackers could use the DDoS technique for blackmail: “Pay us a ransom and we’ll cease our attack.” Kaspersky also found through its survey that 29% of companies said a DDoS attack damaged their credit rating, and 26% reported an increase in insurance premiums. So to any e-commerce operator that doesn’t think DDoS protections are important: get your high-tech priorities straight – or set finances aside to cover the costs of cleaning up after attacks.