By Samantha Kruse, Account Supervisor, LEVICK
Allison Miller, Fellow, LEVICK
Hackers went back to the basics this past week with one of the oldest cyberattack tricks, a distributed denial-of-service attack, or DDoS. The attack, which shut down many prominent websites including Amazon, Twitter, and Spotify, took place on Friday, October 21, and was aimed at Dynamic Network Services Inc. (Dyn), a company that operates what is essentially the digital telephone book for the internet.
The attacks were well planned and well executed, and the apparent ease with which they took down major websites is raising questions as to what companies can do to protect themselves from attacks like these from a security standpoint, and what they are doing to protect their brand. As these attacks are nearly unpreventable, security experts maintain the best way to mitigate damage from a DDoS attack is early detection through monitoring, and separating, good and bad website traffic. Without an immediate solution to rebuild the internet, enterprises must focus on the essential strategic communications elements that can help soften the fallout and speed up brand recovery following such an attack.
One of the more detrimental implications of attacks such as these is what they can reveal about a company’s online presence to the hackers, pinpointing vulnerabilities. The damage for companies that rely heavily, if not solely, on online transactions (think healthcare, financial services, online retailers, etc.), will be catastrophic. Tech behemoths like Reddit and Netflix, whose service was interrupted for hours during Friday’s attack, are under a microscope. Public perception of a company that operates sophisticated online services can be quickly harmed by that organization’s inability to protect the sensitive information of its customers or by a discontinuance of the services its customers pay for and expect to receive. It is increasingly important for companies to put together a strategic communications plan before a DDoS attack occurs. While there is no step-by-step plan that fits each organization, these are a few basic elements necessary for a cybersecurity communications plan:
- Onboard highly-trained third parties, such as forensic specialists and outside IT consultants, in peacetime. These experts can be quickly and efficiently deployed in the event of an attack.
- Train employees on data security basics and test your enterprise crisis communications and data security plans. While an individual employee may not be able to protect a company from a DDoS attack, they can be your biggest weakness or biggest advocate in recovery. Employees who are not educated on protocol could take to Twitter and comment publicly on the attack before the company is ready with a statement or has even investigated the scenario.
- Control the narrative. Inform affected internal and external parties about what happened and what you are doing to fix it before they find out from another source.
- Build in alternate forms of notification that are not dependent on email or online customer service centers, recognizing that a DDoS attack will sever connection to an online network rendering a company unable to access its customer databases or answer queries/complaints coming in through those avenues.
- Coordinate your message with your business partners and vendors. If your business operations depend on other service providers, be sure that they are notified before the general public about any potential cyberattack that could also impact their operations.
While there is a plethora of measures that a company can take to mitigate a crisis stemming from a DDoS attack, the frequency and the potential impact of these attacks looms large. Though ransomware and phishing attacks are on the rise, companies cannot neglect inserting DDoS attacks that could serve as smokescreens for follow-up security breaches into crisis simulation drills.