Why U.S. Enterprises May Be Overconfident About DDoS Defenses

Survey results reveal 88 percent of U.S. businesses are confident in the current state of DDoS threat mitigation–the highest proportion in the international study–despite high percentage of verified attacks.


Are U.S. enterprises way too cocky about whether they can handle a serious DDoS (distributed denial of service) attack on their IT systems?

A new report released Nov. 7 by global content delivery network and cloud security provider CDNetworks has found that a whopping 88 percent of U.S. businesses claim confidence in their current DDoS mitigation structures, despite the fact that 69 percent of them suffered a DDoS attack in the last 12 months.

The 69 percent data point represents the second-highest proportion of successful attacks, beaten only slightly by the UK at 71 percent.

A (DDoS) attack is one in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.

Some well-known DDoS attacks recently included those that hit domain name service provider Dyn, internet security researcher and analyst Brian Krebs, the Hillary Clinton and Donald Trump campaign sites, the Rio Olympics site and several Russian banking sites. More than 200,000 DDoS attacks are inflicted upon the world’s businesses every month, according to Securelist.com.

This latest research conducted by Sapio Research for CDNetworks surveyed 500 senior IT personnel with material control over IT security from organizations in the U.S., U.K., Germany, Austria and Switzerland. U.S. businesses’ overconfidence in their DDoS arrangements and recent track record of being breached is all the more concerning given 88 percent of respondents believe that new attacks to be likely or almost certain in the next 12 months, compared to 77 percent in Germany, Austria and Switzerland.

The self-assurance of U.S. companies appears to stem from their high and growing DDoS investments, and their long track record in investment in DDoS mitigation. Data points from the research include:

  • Businesses in the U.S. are spending the most on DDoS mitigation – an average of $34,750 per year as compared to DACH (Deutschland, Austria and Switzerland) respondents who have spent only $29,000 on average. More than a quarter (26 percent) of all U.S. respondents have invested more than $53,000 in DDoS mitigation technologies in the last 12 months.
  • Sixty-six percent of U.S. companies will further increase investment in mitigation technology over the next 12 months.
  • For all five of the key DDoS mitigation measures (manual protection, self-service DDoS technologies, managed mitigation, WAF and resilience audits), U.S. businesses are the most likely to have invested for the first time more than five years ago. 

Not only have 69 percent of U.S. businesses’ DDoS defenses been breached in the last year, but for 27 percent of businesses, more than half of DDoS attacks have been successful – almost twice as high as the next most vulnerable country (U.K., 15 percent).

The results also reveal that U.S. businesses believe malicious attacks by competitors are the most likely reason for an attack (32 percent), closely followed by blackmail (30 percent). The belief that they are being deliberately attacked, as opposed to being targeted at random (24 percent), makes the motivation for the attacks almost more alarming than their prevalence.

“The results show that most U.S. companies are mindful of the alarming recent rise in DDoS attacks, and are increasing their investment in mitigation technology in response,” CDNetworks Americas Managing Director Alex Nam said.

“This has understandably led to a confidence in resilience. But when comparing alongside the frequency of DDoS attacks and the likelihood of their success, this confidence tips worryingly into complacency. While initial and prolonged investments are theoretically putting U.S. companies in a strong position to protect themselves against DDoS attacks, it seems businesses have not noticed they are losing the arms race against cybercriminals.”

The full report is available for download here.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...