In a standard DDoS attack on a financial institution, there is no money stolen. No accounts are accessed, no PINs or passwords are stolen, no one’s hard-earned anything goes down the drain. So how is it that a standard DDoS attack can cost banks millions of dollars?
The answer, unfortunately, is very easily.
A DDoS or distributed denial of service attack has one main objective: to render a website or online service unavailable to the people who want to use it. Secondary goals include negatively impacting a business, possibly for the sake of competition, staging a protest, generating user outrage on social media, extorting funds using DDoS ransom notes, gaining publicity for DDoS for hire services, or even just having a laugh at someone else’s expense.
Thanks to booters and stressers, otherwise known as DDoS for hire services, there’s been a major uptick in the number of DDoS attacks targeting websites and businesses big and small all over the internet, and thanks to those booters and stressers using massive botnets powered by tremendous numbers of unsecured devices in the Internet of Things, the attacks coming from them are no longer just the short, low-volume attacks on small targets the for-hire services were known for. Anyone willing to spend a bit of Bitcoin can launch a truly devastating attack. This leaves oft-targeted industries like financial services reeling, caught in the crosshairs of professional attackers as well as the people willing to pay to use the DDoS tools designed by them.
In the red
DDoS attacks recently made headlines when it was reported that an attack can cost a financial institution, on average, over one million dollars. This is a mind-boggling number, especially considering – as mentioned above – that DDoS attacks aren’t typically about theft but about disruption. For the financial industry, however, the disruption caused by DDoS attacks is at the root of much bigger issues.
To begin with, when a bank or other financial institution is unable to adequately protect against distributed denial of service attacks, it leaves users unable to access their accounts, make payments or complete other types of transactions, some of which may be essential, especially considering that attacks are often timed to take advantage of the traffic surges that come with end of the month pay periods and bill due dates.
Perhaps even worse, successful DDoS attacks also call into question how seriously that institution is taking its online security. When it comes to their money, people need to be able to trust that it’s secure, and an outage caused by a DDoS attack undermines that trust, especially now that DDoS attacks can be used as a distraction for a more serious intrusion, one that can result in the theft of personal data including payment card information. The frustration and erosion of trust caused by these attacks translates to a damaged brand reputation and a long-term loss of loyalty from customers, one that is felt sharply in an industry like finance.
After the initial money spent mitigating the attack, which has been estimated anywhere from $20,000 per hour to $22,000 per minute, it’s often necessary for businesses to replace software or hardware damaged in the attack. With those logistics taken care of, it’s the loss of customer loyalty that ultimately pushes the cost of a DDoS attack up to millions of dollars for financial institutions.
Bad for all business
The numbers attached to successful DDoS attacks on financial institutions are staggering, but the damages suffered by businesses in other sectors aren’t far behind, clocking in at just over $950,000. Sticker shock aside, some DDoS consequences are so severe they’re impossible to come back from. Online services can be restored, hardware and software can be replaced, but in some cases, customer trust and loyalty will never be regained. Whether a business is in the financial sector or not, distributed denial of service attacks need to be stopped with professional DDoS mitigation. Having a million dollars available to deal with the fallout doesn’t mean the effects of an attack will be erased.