DDoS and Financial Institutions: The High Costs and Why Mitigation is Critical

For banks and other financial institutions, cyberattacks are coming fast and furious. Distributed Denial of Service (DDoS) attacks can now be launched for petty cash, without any technical skills whatsoever. What are the costs of launching attacks, and what does a bank do to defend itself against the onslaught of the infamous DDoS attack?

Easy as pie

DDoS has been a banking security concern for a long time, but it has been a different kind of security concern compared to today’s DDoS worries. In the past, a DDoS attack required a determined actor that had the technical knowledge or substantial resources to spend on a technical team. This meant that DDoS attacks were less frequent and generally aimed at achieving a very specific objective. But today DDoS attacks are so easy even a scruffy teenager can do it.

The entire DDoS scene has changed with cheap, for-hire DDoS services making it easy to launch a DDoS attack. As easy as ordering website hosting, or just about any online service. Effectively, anyone with any kind of motive can launch an attack.

For example, in August 2018 the Bank of Spain suffered from a DDoS attack that choked its website to death. The Bank of Spain, as a central bank, does not even provide services to the public. The motive for the attack is unknown, but it just goes to show that the DDoS playground is now wide open and that attacks can be launched at the slightest whim.

DDoS costs are severe and can badly damage banks

Financial institutions need to be cognizant of the costs of a DDoS attack. DDoS costs are multi-tiered and can bring any business to its knees. When considering the costs of a DDoS attack financial institutions should take into account:

Mitigation costs. Stopping an ongoing attack is costly in itself. Doing so involves the ongoing efforts of internal staff members plus the involvement of external security experts. Service providers will also charge for any damage done to networks. Stopping an attack is expensive.

Lost business due to disruption. An ongoing attack prevents customers from going about their daily business. This can lead to a loss in revenue for a bank as transactions simply cannot take place. DDoS attacks can be difficult to mitigate and can take services out of action for days at a time. The associated losses can be immense.

Criminal acts disguised by DDoS. Often DDoS is not the end goal. Many DDoS attacks are launched to serve as a disguise for another attack. Banks may be attacked through DDoS vectors only for the real crime to be committed while staff are distracted. Factor in the cost of millions of stolen records—or indeed millions in stolen cash.

Reputational damage. Easily outweighing all of the aforementioned costs put together is the reputational damage a DDoS attack can cause. Financial institutions can only operate if the trust of customers is maintained. Lose this trust and customers will walk. Banks should be aware that mere reports of a DDoS attack, even if it causes no damage, can lead to massive reputational damage—and the associated costs.

With the costs of DDoS attacks so evident, and with DDoS attacks so easy to launch, the conclusion is clear: financial institutions need to accept DDoS as a day-to-day reality that cannot be ignored. That said, DDoS attacks can be mitigated.

DDoS mitigation is both essential and feasible

While accepting DDoS as a present-day reality, financial institutions need not and should not sit with their hands folded. Though being a target of a DDoS attack is more or less inevitable, suffering from serious consequences is not. In protecting against the worst effects of a DDoS attack, financial institutions can do the following:

Stay alert. Early warnings and indicators can help banks shore up their defenses against a DDoS attack. Waiting until customers report service downtime is simply not good enough. Instead, your financial institution’s IT staff should be the first to know, before customers even notice.

Use DDoS protection. Cloud-based DDoS protection with enormously high absorptive capacity is available from select vendors. A good DDoS vendor will add powerful AI-based protection into the mix while also reporting on attack attempts and risks. These vendors can stop a DDoS attack before it has a chance to cause any real damage.

Communicate with customers. Many DDoS attacks cause no lasting damage whatsoever—nothing is stolen, and the inconvenience for customers is minimal. Only reputational damage remains, communicating with customers can significantly reduce the reputational damage. Re-assure customers that though an attack was launched that attacks are commonplace, and that customer data is safe.

Involve law enforcement. DDoS is a scourge that plagues every business. Only by involving law enforcement can the source of attacks be stopped. The recent take-down of a large DDoS-for-hire operation is one example. However, if DDoS attacks are not reported law enforcement cannot act.

It all comes down to a well thought out DDoS defense strategy that involves alertness, mitigation, and communication. DDoS defense also requires the involvement of highly qualified anti-DDoS vendors as internal security teams could not possibly cope with today’s large-scale attacks. Indeed, a multi-pronged DDoS defense strategy involving both internal teams and external vendors are the best approach for financial institutions that want to stay clear of the DDoS minefield.