16 July 2021
Without doubt Covid-19 has had an unforgettable impact on businesses, causing an unprecedented strain beyond the inevitable human resourcing and remote working issues. In fact, almost half (45%) of business leaders claim that their company experienced more network security incidents over the last 12 months as a result of the Covid-19 pandemic.
These are the stand-out findings of our latest research entitled Enterprise Network Security 2021: A Post-Pandemic Threat Landscape Report which was conducted with over 400 C-Level IT leaders in large enterprises in four of the world’s largest markets to understand the current corporate security concerns at the top of business. In fact, 55% of US and 49% of UK respondents experienced the most severe impact to their network security due to these attacks which suggests that their businesses are more of a target than those in continental Europe. The net result? A sizeable 60% of respondents have increased their investment in this area.
THE WHAT: The business impact
A sizeable 68% of leaders said their company has experienced a DDoS attack in the last 12 months with the UK (76%) and the US (73%) experiencing a significantly higher proportion compared to 59% of their German and 56% French counterparts. Additionally, over half of all participants confirmed that they specifically experienced a DDoS ransom or extortion attack in that time, with a large number of them (65%) targeted at UK companies, compared with the relatively low number in France (38%).
The results also highlight that there is a financial motive behind many DDoS attacks and that the impact of these DDoS attacks has been dramatic for some: 11% of respondents said that such an attack posed a threat so serious that it could have undermined business continuity. A further 40% said that such an attack had a major impact, resulting in significant disruption and loss of business revenues.
The knock-on effect had a significant impact on the sense of vulnerability among business leaders resulting in 51% of them feeling more exposed to cyber attacks since the pandemic. With the findings clearly suggesting that UK businesses are being specifically targeted, it’s clear that the heightened fears of US and UK businesses, in particular, are entirely justified.
THE WHERE: The security pain points
The leaders we surveyed cited the biggest overall security threat to their business as being the network, alongside systems and applications. And it’s clear to see why: a startling 78% of them revealed that they responded to up to 100 network security incidents in the last 12 months. As for the nature of the cyber threats faced, it is no surprise to find that phishing is regarded by over half of business decision makers as the main cyber threat to their business. More telling, perhaps, is the fact that almost as many (49%) view DDoS attacks at the same level.
As the network is probably the most vulnerable part of the security stack because of its inherent exposure to the outside world – often connecting a multitude of network elements across long distances - when it fails, so do all the systems and workflows that depend upon it. It is little wonder that network security is also by far the biggest security cost for business, with 42% of leaders citing it as their greatest security outlay.
THE HOW: Mitigating attacks
To counteract the network security threats, nearly half (45%) of leaders currently mitigate DDoS attacks by using ISP/network provider DDoS protection. A significant number have their own in-house mitigation/scrubbing capabilities (34%). Cloud-based solutions are utilised by less than a fifth, while a small but worrying three in 100 businesses don’t mitigate at all.
Interestingly, when asked about their familiarity with network service providers’ DDoS protection services, more than half (53%) of respondents said that they do not consider themselves to be familiar with the DDoS protection services offered by network service providers. Leaders in the US displayed the highest level of familiarity, while those in France had the lowest.
IMPLICATIONS FOR ENTERPRISES
Enterprises need to evaluate potential security threats throughout their entire ICT ecosystem if they are to successfully face down the ever-increasing severity and unpredictability of evolving threats in an increasingly digitalised (and distributed) business environment.
In particular, points to consider should include:
• The constantly evolving nature of security threats – experience from the pandemic should be used as an opportunity to review vulnerabilities and beef-up security where necessary.
• The geographical threat landscape – what are the main threats and vulnerabilities within the geographies in which they operate?
• Business-specific threats – how are cybercriminals targeting different industries and where should the focus on mitigation be?
• Strategies to meet the threat of extortion-based DDoS attacks
• The physical security (and potential suppliers) of their own networks and that of suppliers providing underlay – businesses need to look beyond logical connectivity and demand full transparency from their suppliers with regard to the resilience of physical network assets throughout the extended supply chain – including their hardware vendors and datacentre partners. They must ensure that their network providers have full visibility (and control) of the underlying network infrastructure.
• Logical network security across the ecosystem – do potential suppliers take a robust approach to routing security and security within their network production environment?
• All available DDoS protection options – what are the different services available, and which ones afford the best protection for particular business needs? Businesses might be missing out on an effective and efficient opportunity to mitigate DDoS if they overlook network provider mitigation options.
Mattias Fridstrom, chief evangelist at Telia Carrier
It will be those enterprises that act on the lessons learned from the Covid-19 pandemic and scale their security programmes with sufficient headroom who will successfully protect their business from future, and as yet unforeseen, threats.