Like any pirate, most cybercriminals prefer easy targets. So, while the number of attacks continues to increase, the majority of them are looking to exploit vulnerabilities that are easily defended. A new report from Arbor Networks suggests that the number of sophisticated cybersecurity attacks being launched is on the rise, though.
Based on a survey of 354 service providers and network operators, the 11th annual Worldwide Infrastructure Security Report (WISR) finds that 56 percent of respondents reported multi-vector attacks targeting infrastructure, applications, and services simultaneously, up from 42 percent last year. A full 93 percent reported application-layer distributed-denial-of-service (DDoS) attacks, and the most common focus of those attacks is now DNS servers instead of the HTTP protocol itself.
In terms of size, the largest attack respondents reported was 500 Gbps, with others reporting attacks of 450 Gbps, 425 Gbps, and 337 Gbps. The report notes that the size of these attacks has grown 60 fold in the past 11 years.
Targeting IT service providers
Historically, DDoS attacks have been launched by vandals and activists trying to make a statement. But as these attacks become more sophisticated, Arbor Networks surmises that cybercriminals are now using DDoS to extort money from their victims. IT service providers are being targeted because every minute a service is unavailable costs them money and cybercriminals hope to use them as a gateway to extort money from their customers as well.
Of course, defending against these attacks requires more IT investment, both in additional security technologies and in hiring the people with the expertise to manage them. While there is hope that machine learning algorithms and other forms of artificial intelligence will help contain those costs by automating IT security defenses some day soon, in the short term IT service providers should expect a larger percentage of their overall budget to be consumed by IT security.
Strength in numbers
The challenge, of course, is going to be figuring out what that right level of IT security should be. Given the level of risk IT service providers have, the level of IT security investment they need to make is much higher than the average enterprise IT organization. In fact, that level of investment is often part of a service provider's core value proposition.
As a general rule, IT service providers can deliver IT services more securely because the cost of delivering those services is aggregated across hundreds of customers. In contrast, the average enterprise IT organization is challenged with the level of IT security investment required, and they generally can’t compete for IT security experts, who command premium salaries today.
IT service providers simply can’t afford to short shrift IT security investments. The only way they can mitigate those costs is to spread them across a broader number of customers that wind up being much more secure as a result. Much like the days of old when merchants formed convoys to ward off pirates, the good news is that there continues to be strength in IT security numbers.