We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
The threat of ‘Distributed Denial of Service’ (DDoS) has reached a critical level. Every week there seems to be a different story about a business being affected by this type of cyber-crime. With multi-million pound budgets, larger businesses are able to recover more easily from such attacks but for small to medium-sized businesses (SMBs), one attack could plunge them into free-fall. SMBs simply do not have the budget to protect themselves against these attacks, which leaves them vulnerable to opportunistic ‘hacktivists’.
While many business leaders are coming round to the idea that they need to protect themselves against DDoS attacks, for some the realisation comes all too late. Websites can completely disappear from the Internet and companies find that their orders have all but dried up. Here, Tim Pat-Dufficy, managing director of hosting experts ServerSpace, explains why business owners need to be aware of the risks and the losses they could incur if they do not have the correct security measures in place.
What exactly is a DDoS attack?
The first DDoS attack occurred during the late 1990s and by the year 2000 retail sites were already being targeted. However, it was only around five years ago that companies started to feel the very real threat coming from such attacks. Now, attacks of this nature occur thousands of times a day and this figure is growing sharply. Not only that, but research suggests that these attacks are lasting longer and hitting harder.
In March 2013 mass media reported that the DDoS attack against anti-spam organisation, Spamhaus, registered an intensity level of 300 Gbps - the highest level seen to date. Over a matter of weeks, the entire Spamhaus infrastructure was damaged and its customers were left without service. The overall impact was nothing short of disastrous for the company and led to a number of arrests. What’s more, the technique that was used in this attack has been used by other hacktivists since March, which is bad news for business owners.
The average duration of a DDoS attack lasts between nine and ten hours, which is enough time for hackers to completely dismantle a business. Cyber-criminals target businesses by sending hundreds of thousands of requests a second to a website. When the destination server tries to process the requests, it shuts down and when future requests go through, the server then does not respond. Legitimate traffic to the website is unable to contact it and service is denied.
Bringing a website to its knees
Earlier this year student Christopher Weatherhead, 22, was convicted for his role in hacking group Anonymous’ DDoS attacks on PayPal, and received a sentence of eighteen months in prison.
The attacks, which made headlines throughout the world, reportedly cost the e-commerce business £3.5 million and sent shockwaves through the technology industry. This highlights the ease with which hackers can target businesses that think they have secure firewalls and IP security measures in place. Students like Weatherhead can bring a website to its knees. If one British student can have this effect on an international company worth millions, it proves that these attacks no longer need to be sophisticated or expensive to launch.
Reputational implications
The impact to a business is not just a straight-forward monetary one. The reputational damage that any sort of downtime can have may prove detrimental – not only to the business’ short-term performance, but longer-term too. This damage can be irreversible and in today’s competitive business environment, every minute the site is down could result in the exodus of customers to welcoming competitors.
Imagine that you are a customer trying to purchase something online – yet you find that the website suddenly (and without reason) will not work. Instead of trying another alternative to buy from the same company, you will simply take your business elsewhere. Now imagine that this is your website that people are turning away from, because you have been hit by a DDoS attack. The impact on smaller businesses in particular is difficult to imagine.
How to protect your business against DDoS attacks
Dedicated DDoS protection was once only available to large companies, but now there are more affordable solutions for companies that do not have multi-million pound budgets. SMBs have two choices to protect themselves; the first is to have a dedicated IT team that can monitor around the clock for possible attacks. The second would be to select a hosting provider to host your website, which takes the headache out of both monitoring for attacks and reacting to them. In any case, DDoS protection should be a key component of any business’ structure because without it a business is left vulnerable to some of the most destructive cyber-attacks that hackers can orchestrate.
The barrier to entry of DDoS attacks in terms of cost has largely gone. Anyone can launch an attack: serious criminals, a group of blackmailers, or just disgruntled ex-employees. On the flip side, that also means that anyone can be the victim – businesses with as few as five employees have been targeted.
SMBs must acknowledge that they will not be able to combat DDoS by themselves. So long as they have a supported web security procedure in place and are aware of the risks and potential destruction that attacks of this nature can have, then the threat level to the business will be reduced significantly. The biggest mistake a business can make going forward will be the failure to recognise the severity of DDoS attacks.
