As we approach the holiday season, there is no shortage of tech articles about distributed denial of service (DDoS) attacks and how they're such a huge Q4 problem that necessitates awareness and, of course, a comprehensive DDoS mitigation strategy. From all of the buzz, one might actually believe that DDoS is not a problem outside of e-commerce or the holiday season. Even the security professionals who know better often find themselves making last-minute contingency plans despite the knowledge that proper planning months in advance would have reduced the cost of the mitigation solution and substantially mitigated any damages during an attack. DDoS mitigation is not substantially different than commercial travel; this is the season when security firms begin ratcheting up their prices and launching holiday season awareness campaigns.
Don't miss: IT Security in the Snowden Era (TechRepublic/ZDNet Special Feature)
It is important to avoid tunnel vision and remember that everyone from the average consumer to large enterprises can be a victim of DDoS attacks, and the risk remains substantial year-round. The scope of the threat will vary from individuals to organizations between industries and seasons. Any organizations that generate revenue online and their customers can be victims of DDoS attacks. For the organizations, the cost of advance continuity planning cuts into earnings. Those that fail to plan find themselves taking costly emergency DDoS mitigation services and suffering damage to their reputations and customer confidence levels. Irrespective of the category in which an organization falls in terms of DDoS attack planning, every single customer becomes a victim, since the expense of information security becomes a pass-through cost. This is the digital equivalent of shoplifters increasing costs at brick-and-mortar establishments.
Major e-commerce brands are year-round targets. It is hard to imagine Wal-Mart or Best Buy not having comprehensive defenses in-house. Certainly, nearly every online retailer has planned for these attacks. One might recall that the first major attacks in 2000 were against e-commerce and included Amazon, Buy.com, and eBay. Unfortunately, it has been consumers and investors that foot the bill for this added security.
The ROI of implementing DDoS mitigation controls
In major companies, decision makers weigh the case for investment in information security by evaluating the expected loss from information security incidents, such as DDoS attacks, and determining the return on investment (ROI) of implementing controls, such as DDoS mitigation. For illustrative purposes, we will use Amazon as an example.
Amazon reported $21 billion in sales for Q4 2012, which breaks down to $9.7 million per hour. At a gross margin of 24.75 percent, the profit per hour was roughly $2.4 million. Assume that without DDoS mitigation in place that Amazon would have lost one hour of sales to attacks and that the cost of DDoS mitigation would have been $1 million, mitigating exposure to five minutes of downtime for a loss of $120,000 with controls in place. This gives Amazon the choice of accepting the risk at a cost of $2.4 million or mitigating the risk at a cost of $1.12 million.In this example, Amazon can demonstrate a ROI of 46.67 percent, which will lead to the company deciding to mitigate the risk and purchase the DDoS mitigation system.
Why the smaller retailer is much worse off
Imagine the same scenario with a company having Q4 sales of $200,000 resulting in a gross margin of $49,500. It is cost-prohibitive and impractical for small companies to use in-house DDoS mitigation systems, so the company will look to a service-based solution. An emergency DDoS mitigation service with a 12-month term may have a total contract of $120,000, placing the small retailer immediately into negative ROI. This means that the company is forced to accept the risk of DDoS attacks. If an attacker learns that the company has no DDoS mitigation whatsoever, the result could be near permanent downtime, quickly leading to lost sales, loss of consumer confidence, and eventually bankruptcy.
Essentially, everyone shares some of the pain when it comes to DDoS attacks, but it is the smaller online retailers that are left the most exposed. Small firms generally cannot afford enterprise-grade solutions and often lack the organic information security capabilities. An emergency DDoS mitigation service is a quick solution but at a substantial cost, easily reaching into the thousands of dollars per month.
Consider your company's size when shopping for mitigation solutions
A decade ago the Internet was viewed as an emerging technology that could allow anyone to bootstrap a company and sell online. Today, it has manifested into a complex, insecure environment that continues to favor well-capitalized corporations.
This problem is best quantified using the aforementioned ROI model. Where major retailers can easily find ROI in costly security solutions, smaller retailers are left facing more difficult decisions as to whether to mitigate or accept the risk of attack. In practice many small companies choose the latter, as it is the option that offers the greatest upside, but at the risk of exposing the company to devastation if targeted by an attacker.
Fortunately, there are practical solutions available for smaller companies. These require advanced planning and an understanding that DDoS protection and information security are fundamental concepts that must be incorporated into a company's business plan year-round.
All companies should work with a security firm or consultant with experience in mitigating DDoS attacks to determine those solutions that make the most sense for the size of the business being protected, thereby facilitating the most attractive ROI.
Jeffrey A. Lyon, CISSP, is the founder of Black Lotus Communications, a secure hosting firm specializing in DDoS attack mitigation.