Distributed Denial of Service attacks. Better known as DDoS attacks. That's geek speak for the kind of cyber assault that hits a web server with so many requests for service that the site becomes unavailable for use by anyone else. Quite literally information overload.
A new study shows DDoS attacks are happening more and more at the nation's banks . The study's unsettling conclusion? They're not as prepared as you might expect, not even the big ones.
New kinds of attacks, old kinds of defenses
The study was conducted by the Ponemon Institute and was reported on by Financial Times. Ponemon Institute is a U.S.-based research center that looks at privacy, data protection, and information-security policy issues.
The study's primary findings are that "more than two-thirds of banks have suffered at least one DDoS attack in the past 12 months," and also that "almost half of respondents ... said their banks had suffered multiple DDoS attacks in the past 12 months."
And while it would be reasonable to assume that DDoS attacks are mainly a problem for small banks -- which presumably can't afford the most up-to-date experts or the latest and greatest counter-technology -- this is actually a problem for some of the country's biggest banks. Over the past year, so-called "hacktivist" groups have hit Bank of America (NYSE:BAC), JPMorgan Chase (NYSE:JPM), Citigroup (NYSE:C), and Wells Fargo (NYSE:WFC) with DDoS attacks.
IT staff responding to the study cited shortages of personnel, expertise, and proper technology as continuing issues in dealing with these events. Most frighteningly, according to the study, is that many banks still rely on old-fashioned firewalls to protect against DDoS attacks. The problem is, that's not what firewalls were designed for: Firewalls are old-style defenses for old-style attacks. As such, relying on them leaves banks vulnerable to these debilitating DDoS assaults.
Sorry, please try again later
Imagine hackers bombing Amazon.com's servers with so much fake traffic you can't log on to buy that toaster you need, or that movie on Blu-Ray you just have to have. That's a bummer. Incredibly frustrating maybe, but still just a bummer.
Now imagine hackers doing the same to Bank of America servers, and you can't log on to your bank account to transfer the money your son or daughter is waiting on at college, or you're a CFO who's trying to move some absurdly large amount of cash from one account to another, and instead all you get is a "please try again later" message from your bank. That's more than a bummer. That's completely unacceptable.
Whether you're that anxious parent or anxious CFO, who wants to keep their money where they're not sure it can be accessed when they need it? In this 24/7 online world, that's a more relevant question than ever. We all expect instant, unfettered access to any of our online services, and when we don't get it, we may decide to take our business elsewhere.
Don't just sit there, do something
So as banks suffer more and more of these DDoS attacks, and consumers and CFOs find themselves more and more frighteningly unable to access their accounts, banks may find themselves losing more and more business.
And banks like JPMorgan, B of A, and Citigroup rely heavily on deposits and other non-exotic assets to help keep the lights on and share prices up. Who will they lose the business to? Naturally, the banks that recognize the problem, and spend the requisite time and money fixing it.
The technology and expertise to handle this increasing wave of DDoS attacks is out there -- it just takes time, money, and awareness of the problem to begin addressing it. One expert quoted in Financial Times cited the need for so-called "first line of defense" security systems, which deal with DDoS attacks at the "perimeter of the system," before they hit the network and cause a company the most trouble.
With any luck, this study by the Ponemon Institute -- or at the very least the story in Financial Times -- is right now making the rounds of top management at America's banks, both big and small. As consumers and businesspeople, we need to know our money is secure and that we can get at it when we want or need to. As investors, we need to know that the banks we own shares in are taking care of the people they depend on to stay in business.
And if JPMorgan, Citi, B of A, or Wells Fargo can't give us proper peace of mind, we'll find some company that can.