How common are distributed denial of service attacks? Very common, according to a survey of business executives released last week by The Hartford Steam Boiler Inspection and Insurance Company (HSB). According to that company’s press release, 35% of those companies surveyed said that they had experienced a DDoS attack in the previous 12 months. The most common cyberattacks were malware (53 percent) and viruses (51 percent).
It’s hardly a surprise that DDoS attacks are so common. What is surprising is that so many companies still lack adequate DDoS protection. Our own 2017 survey of IT professionals found that 58 percent of security professionals are still relying on “home grown” open source solutions, or traditional security infrastructure like firewalls, to protect themselves against DDoS attacks. Just more than a third (36 percent) are adopting cloud-based solutions, including scrubbing centers, and an additional 35 percent are using on-premises DDoS mitigation products.
Does Cyber Insurance Help?
Interestingly, the HSB survey found that “Almost two-thirds of companies (61 percent) purchased or increased their level of cyber insurance coverage over the past year, and 56 percent of them purchased cyber insurance for the first time.” Although cyber insurance can be handy after an attack, it usually does not cover all the losses incurred as a result of a major DDoS attack.
DDoS attacks cost not only time and money in the form of internal or external IT resources to bring a company’s network back online, but also create loss of revenue, brand reputation and customer trust. It’s quite obvious that network or website service availability is crucial to ensure customer trust and satisfaction, and vital to acquire new customers in a highly competitive market. When an end user is denied access to Internet-facing applications or if latency issues obstruct the user experience, it immediately impacts the bottom line; this is especially true in some industries such as online gaming and web hosting. In other industries, such as bio-pharma and financial services, customer trust in cybersecurity is critically important, and it can be harder to measure those intangible costs.
There are multiple types of cyber insurance, in terms of cost and coverage. If your company is vetting insurance companies, ask how it would compensate your company in the event of a DDoS attack. Consider that there are the direct costs that can be measured in dollars, including downtime and lost revenue; the cost of remediation to get systems back online; and the cost to repair or replace damaged systems. But it is more difficult to measure the loss of brand trust or revenue loss?
Cyber insurance is not a bad thing, but it may not outweigh the costs incurred by a DDoS attack. For companies that are weighing the pros and cons of cyber insurance protection versus DDoS protection, “both” may be better solution than “either/or.” One thing is for sure, companies should not substitute cyber insurance for DDoS protection. For one thing, it may be more affordable to get DDoS protection as a service from your Internet Service Provider (ISP).