Executive Viewpoint 2013 Prediction: Arbor Networks
Organizations are being faced with a broader and increasingly-complex set of threats to their Internet service availability and data confidentiality at exactly the time that many of them are embracing cloud-based data and application provisioning, as well as Internet-based service and product sales. In 2013 it is likely that threats will continue to become more numerous and complex. As we’ve seen, multi-vector DDoS attacks have become more common in 2012, with the recent US financial sector attacks being prime examples.
The continued mainstream press coverage of these kinds of attacks, and in some cases their associated costs, has increased the appreciation of the business risk they pose. We will see cyber threats like DDoS being considered alongside power failure, natural disasters, and physical security breaches as threats to business continuity. Finance teams will be more informed about cyber threats and will incorporate DDoS into risk models while CISOs will be asked to quantify DDoS risk to set IT security budgets. However, setting budget priorities for IT security investments is not an exact science. One needs to assess the threat landscape and allocate investments to minimize overall business exposure.
The business impact of an attack is a function of the length of time that services are unavailable and the value of those services. The impact is akin to losses from power outages or other failures of critical infrastructure. DDoS impact assessment starts with a simple question: What will be the total cost to the business if the most critical applications are down for 4, 8, 12, or 24 hours; 1 week; or even 2 weeks? The answer depends on the specifics of the business.
Because the goal of an attacker is to create maximum disruption, attacks are more likely to occur at the worst time. For example, online retailers are especially vulnerable during the period between Thanksgiving and Christmas and on “Cyber Monday” in particular. Therefore, the cost exposure calculation should take into account seasonal factors. An average data center of 2,000 square feet incurs $92K in losses per hour of downtime. There is high variability in cost per hour even when normalized for data center size. This variation is primarily a function of business type – businesses that are most dependent on their data center (colocation/hosting, ecommerce, communications, financial services) incur the highest costs per unit of time.
Repeated attacks causing outages greater than 12 hours are not uncommon. Therefore managers should take into account the risk and financial impact of annual outage time of 24 hours or more. For most enterprises, replacing a highly uncertain and risky cost outcome with the predictable, lower cost of effective DDoS protection is sound practice from a security perspective as well as a financial perspective.