European IT professionals report securing business continuity as the #1 challenge, even more than avoiding revenue loss or protecting reputation
European Threat Landscape
Managing cyber-security in Europe sometimes feels like walking through a minefield, where you have to calculate the risks with each step in order to make it safely. Between EU and / or local regulations, the ambition to keep the organization secure by all means, and the business demands to be dynamic and agile, it is easy to spot the CISO in a board meeting – look for the person who looks the most frustrated.
There is a correlation between a growing number of unhappy CISOs and security events. A lot has been discussed concerning the evolution of cyber-attack tools into mature, powerful and sophisticated programs, and the growing resources companies have to invest in technology, labor, compliance and skill.
We at Radware went ahead to get a closer look at the concerns and experiences of European companies. As part of our Global Application and Network security report, we surveyed more than 150 security professionals – from companies of all natures – across Europe and I’m happy to share their lessons in this blog, hoping to provide useful insights to those unhappy CISOs.
Yet, one thing that seems organizations are not capable of doing is moving with the right speed. They keep lagging behind due to many reasons, but the result is a growing chasm between the level of preparedness and the available tools in their possession. Some lack the right solutions, some simply lack the awareness and others lack the skill. Obviously, the majority (55%) express frustration with available budgets and headcount.
Perils hovering above the continent
Apart from the economic unrest caused by Brexit, the Euro devaluation and other political debates, 2016 introduced a new level of threats that European businesses have suffered from. First, the cyber-ransom plague that hit every other organization in the continent. Second, more and more hackers and cyber-criminals are taking advantage of SSL traffic to launch cyber-attacks.
Third, OVH – a French hosting company – was hit by allegedly the largest DDoS attack ever officially reported, suffering massive traffic bursts ranging between 100Gbps and a total of 1Tbps!
This attack demonstrated the power of IoT botnets and was followed by a failed takeover attempt on 900,000 routers belong to Deutsche Telekom 2 months later. Just imagine the amount of traffic 9000,000 enslaved devices can genereate. So Europe had a taste of IoT botnets, and now when their source code has become public, it should be prepared for more.
Is SSL Always Safe?
As the question implies, obviously not. Encrypted communication requires a lot more resources from the network components such as the Firewall, ADCs and the servers themselves, which in many cases are falling short when the load is growing. Considering SSL traffic over the internet has grown by 48% – and 35% of LAN / WAN traffic – companies must be able to match the requirement in order to continue to be able to securely serve their clients.
SSL-based attacks are the fastest growing attack vector in Europe (see figure 4) – as validated by 29% considering it as their principal weakness in the case of an SSL-based DDoS attack (vs. 23% in 2015) – less than one in four companies (23%) confidently say they are able to mitigate one.
Internet of Things (IoT) Botnets Open the 1Tbps Floodgates
On September 21st, 2016, a French hosting company was hit by allegedly 1.2Tbps DDoS attack. This record-breaking volume was generated by ~145,000 IoT devices that were all infected with the remotely-controlled Mirai botnet. Ten days later, Mirai turned out to be the first IoT open-source botnet, upon the release of its source code to the community. Mirai exemplifies why preparing for “common” attacks is no longer enough. Not only it is capable of generating masses of traffic, far beyond the capacity of most organizations around the globe, it also features sophisticated attack vectors such as GRE floods and DNS water torture attacks. Security strategies cannot remain the same when such a threat is lurking. Companies have to adjust their mitigation plans not only in preparation for a large volumetric attack, but also for the event of being attacked by a mutation or a customized version of Mirai. This is a “known unknown” that can only be detected by intelligent automation such as behavioral analysis or machine learning.
While this may sound too similar to sci-fi to many businesses, the reality is that 76% of European organizations suffer low volumes (below 1Gbps) of DDoS attacks resulting in loss of productivity, poor customer experience and damage to the brand perception.
Cyber-Ransom Plague hits every second European enterprise
Until the IT press turned the spotlight on the IoT botnets, the #1 topic was a plague of ransom attacks hitting companies worldwide, but particularly prevalent in Europe. Most ransom attacks appeared in the form of hundreds of encrypting malware types – which became more and more sophisticated as defenses and patches followed – and in another form, as extortion letters followed by DDoS attacks. Unfortunately, this was a very rewarding attack method for perpetrators and other criminals, which are expected to take it to the next level in 2017, threatening critical systems and even public infrastructures. It was so successful that some copycat groups used this method of extortion, with no real attack capabilities at hand. They just counted on the stress to do the job. 49% of European organizations named ransomware as the #1 motivation behind cyber-attacks they suffered this year.
I find it both surprising and unfortunate that European organizations express the least level of preparedness compared to other territories. You can see the following scores that demonstrate where they fall short. Our findings should be an alarm call to EU businesses as they are probably struggling with ghosts in the form of a variety of issues they don’t have the visibility into, and doubtfully know about.
Service Availability is #1 Concern
Partial or full service availability impact (34%), together with data leakage (23%), were the top two concerns for European organizations in 2016 – more than reputation loss or revenue loss.
69% point at service outage / degradation as causing the most damage to their business.
44% do not have ER plans
At the beginning of this post, we noted that European organizations tend to be targeted more. Add to that our global report’s finding that 98% of businesses suffered at least one attack a year – there are still a huge number of enterprises in Europe that do not have an emergency response plan for a cyber-security incident. Obviously, designing such a plan in advance will not only assist in quick elimination of the threat, but also reduce associated costs (see more in our global report).
79% don’t calculate the real cost of cyber-attacks
If companies knew what the real cost of cyber-attacks is, perhaps 44% of them could say, “I don’t need an ER plan.” But this isn’t the case, as the vast majority of European organizations did not come up with a formula and therefore do not know the real cost. Moreover, they seem to provide the lowest estimation compared to other geographies. Our global report shows that companies who calculate such costs provide nearly as double the estimation – meaning security professionals in Europe better pay attention and reevaluate.
To learn more on European threat landscape trends and real life experiences please download the report here.
To read Radware’s Global network and application security report please click here. It features a thorough analysis of an IoT botnet, 3rd party viewpoints, vertical breakdown, hacker profiling and much more!