The average cost of a DNS attack in the financial services industry has risen by 40 per cent over the last year to $1.3m (£1.1m), according to new research.
A survey of 130 senior technology professionals, including CIOs, CISOs and IT managers, reveals the scale of disruption caused by the attacks; some 88 per cent of finance organisations suffered a DNS attack over the twelve month period, and banks and insurers were on average hit 10 times.
The domain name system converts domain names into IP addresses and is often referred to as the internet’s phone book. Hackers exploit the DNS in two primary ways: to send victims to copycat websites which harvest their data in “phishing attacks”, and to disrupt companies’ access to their own applications or websites, and cause downtime. In the latter case, hackers often demand a ransom to return the connection.
The survey, commissioned by EfficientIP, revealed that in the last year, 47 per cent of financial organisations were targeted by DNS-based phishing scams, 45 per cent suffered cloud service downtime and 68 per cent experienced in-house application downtime.
Ronan David, EfficientIP’s vice-president of business development, attributed the rising cost of attacks to the fact that firms are rolling out more customer-facing applications. “All of them are reachable through the DNS,” he told NS Tech. “[Attacks have] a higher level impact across all of the different services used by users.”
One of the possible reasons the number of recorded DNS attacks is rising, David added, is that there is greater awareness of the risks posed by the registry, and tech workers are more likely to realise it is the source of incidents.
The research revealed that the cost of a typical attack in the financial services industry was higher than in any other. David Williamson, EfficientIP’s CEO, said: “Financial services organisations have always been the gate-keepers of customers’ money, providing vital services people expect to be able to use all day and night. With so much at stake, the networks of financial services organisations are a predictable, prime target for DNS attacks.”
In August last year, just months after TSB suffered a catastrophic IT meltdown, the Financial Conduct Authority (FCA) started forcing banks to disclose details of major operational and security incidents online for the first time.
Financial services firms are not covered by the NIS Directive, a set of European regulations designed to bolster the security of critical infrastructure. But that doesn’t mean banks are any less likely to be hit by fines for IT outages. While the directive grants regulators the power to fine companies up to £17m, there is no cap on the fines the FCA can issue.