As Welsh businesses continue to wait for the impact of new GDPR legislation, DNS Security specialists EfficientIP has revealed the result of its 2018 DNS Threat Report – and it’s a worrying picture.
On average, just under 40% of European companies have experienced data loss, higher than the global average which is still a huge 33%.
Nearly half of French organizations admitted to losing sensitive data (48%). So far, UK companies have fared better, but even here the report found 32% of businesses were affected – still representing nearly a third of UK businesses.
Furthermore, a third of European organizations had their websites compromised, with 48% of Spanish organizations admitting they experienced website downtime as a result. A quarter of French organizations also suffered loss of business as a consequence of DNS attack, which researchers found were happening with alarming frequency.
The top five DNS-based attacks were DNS-based malware (39%), followed by phishing at 34%, DNS DDoS attacks at 20%, DNS tunneling at 19%,and domain lock-up at 18%. DNS-based malware attacks were more prevalent in the EU than anywhere else in world, with Germany facing the most attacks at 44%. Spanish organizations faced more DNS tunneling attacks at 24% than their European peers.
DNS attacks are a widely recognized target for data exfiltration. Protecting the DNS requires monitoring and analysis of traffic to identify threats once they enter the corporate network. Conventional end-point and firewall technologies primarily focus on protecting the perimeter of every corporate network, therefore they are redundant once the threat moves inside.
Researchers identified that these attacks were increasing business costs dramatically. The average cost per DNS attack for European organizations has risen by 43% over the past year to €734,000, much higher than their North American and Asia Pacific counterparts. French organizations had the highest cost per attack at €847,000 and the UK had highest cost increase at 105% to €684,000. German organizations have reduced the impact of DNS attacks over the last year, increasing only by 15% this year. Worryingly, these figures are per attack, not per organization, and some companies have been hit more than once.
IT Security expert, Wayne Harris, Compliance Officer for UK-wide IT support provider ITCS, said the results were very concerning for UK businesses.
“Our customers have not experienced anything like this volume of attacks, but like most providers, we have to continually invest in both technological solutions and in people training to keep our network secure. It’s an ongoing battle with no opportunity to stand still. This report should serve as a wake-up call to any UK business that think cyber-attacks ‘happen to someone else’, and highlights the need to train all staff in basic network security procedures so that any potential threat is meant with a robust, effective response.”
Researchers report that European companies are finally investing in infrastructure security, in terms of securing network endpoints (38%), the monitoring and analysis of DNS traffic (36%), and implementing firewalls (20%). Whilst it is positive to see DNS investment move into the top three, more remains to be done if European businesses are to protect data and avoid GDPR-related fines.
David Williamson, CEO of EfficientIP summarized the research, saying,
“New regulation made it necessary for every organization to ensure the data they keep is secure. Surprisingly, our research shows European organizations have invested the least globally in technology, which can prevent data theft. This could be a reason as to why the region had the most data stolen. In the year ahead, it will be interesting to see how European companies will prevent data theft and avoid regulatory fines.”