NBIP and SIDN presented their report The impact of DDoS on Dutch enterprises on Monday 19 November. The research brought together data from NaWas (the national traffic scrubber, set up by NBIP) and data held by SIDN about the organisations behind the affected .nl domain names, which SIDN manages.
By pooling their data, the two organisations were able to estimate that NaWas-affiliated enterprises would have missed out on 425 million euros of earnings if they hadn't been protected. Given that NaWas protects 43 per cent of .nl domains (2.5 million), and that SIDN's data relate exclusively to .nl domain names (64 per cent of all domain names in the Netherlands), the total potential losses associated with DDoS attacks is likely to be a lot more than 450 million. What's more, the researchers didn't have any data about various large organisations with their own anti-DDoS solutions.
Major differences were found between sectors. It's also important to distinguish between enterprises that are targeted by attackers, and those that are victims of 'collateral damage'. The potential repercussions of a targeted attack are greatest for government agencies: nearly 60 million euros. Home and Garden is the sector liable to lose most in collateral damage (35 million euros).
Collateral damage occurs when an enterprise shares a host with a targeted organisation. A website with a shared host is 35 times more likely to be affected by a DDoS attack than one with a VPS or dedicated host.
Enterprises therefore need to consider what hosting services suit them best. With faster and cheaper solutions coming on line all the time, going for the lowest-price option isn't a risk-free strategy. "Hosting service providers need to recognise their responsibilities as well: they should be explaining the risks that come with shared hosting," says NBIP's CEO Octavia de Weerdt. "We hope that our research will help to build awareness of the problem, both amongst service providers and amongst service users."
As Michiel Steltman, Director of Digital Infrastructure Netherlands (DINL), says in the report: "Most companies nowadays have on-line activities that rely on cloud infrastructure or hosting. And price is often the main factor influencing their choice of service. However, with DDoS attacks on the rise and the legal obligation to protect personal data, security and the ability to resist attacks should be a much higher priority."
The economic impact was assessed by estimating the earnings that would have been lost without protection. The calculations were based on turnover figures for the affected enterprises and the duration of the attacks.
"We don't pretend that these are precise numbers. As the Netherlands Bureau for Economic Policy Analysis concluded in October, the exact cost of DDoS attacks is very hard to quantify. For example, if a website isn't available for a day, how many sales are lost altogether and how many are simply delayed?" says Michiel Henneke, SIDN's Marketing Manager. Another complicating factor is that the study was to a significant extent concerned with potential losses: actual losses are often avoided by the use of anti-DDoS defences, such as NaWas.
NBIP and SIDN therefore hope that their joint study will serve as a trigger for further research.
"In the Netherlands, there has been almost no research into the financial implications of DDoS attacks. It's a difficult topic, because how do you measure how disruptive something is for the community? So we're hoping that, in partnership with SIDN, we've started a ball rolling," says de Weerdt. "We're calling on government bodies, market players and other actors to turn their attention to the economic impact of DDoS attacks."
The impact of DDoS attacks on Dutch enterprises PDF document, (479 kb)