Your Internet or Your Candy
David Storch is a Product Manager and Principal Consultant at Atos and a featured guest blogger
According to the UK’s The Telegraph, ‘eight out of ten parents with children aged 14 or under say restricting their offspring’s use of gadgets is their preferred form of discipline because it stopped them from communicating with their friends. Youngsters saw having their tablets and phones taken away as the worst method of punishment.’
Let’s put aside for now the question of whether or not a parent taking away a child’s tablet is something like a new form of DDOS attack (a parental one) and consider the ‘old’ form of punishment, the more familiar one– taking away some kind of treat, like candy. I don’t know if any formal studies have been done where children (or adults) are asked, which ‘treat’ they would rather lose, Internet or candy, but more and more I suspect it is communications they’d rather keep. That’s right—I think people would rather have Internet and go hungry than be full but off-line.
This is really pretty interesting because we can start to consider whether or not Internet access is at least as important to people as food or candy—the latter is a requirement to stay alive, but as far as I know, the human body has no daily requirement for connectivity or phones. Riding around on the train, or just walking in the street, you’ll see countless people with their heads angled down, looking at their screens and veering away just at the last possible second away from an open manhole or from an oncoming taxi. Overwhelmingly, what these people are looking at is communications—emails, texts, URL’s sent by friends, etc. There is no google, no Facebook, no email and pretty much no iPad without the Internet and without communications.
It may or may not be clear what the above has to do with DDOS, and it may or may not be clear what the above has to do with business. So let me explain.
Do. Not. Let. Your. Network. Go. Down.
I hope that is clear.
If you own a business, or manage one, or have a vested interest in one, or are responsible for its growth, your network may well be your most important asset. If it isn’t number one, it is in the top 3. Without it, your employees are lost, your partners cannot communicate with you, and worst of all, your customers cannot place orders, may lose faith in you, and may jump to the competition. Want to see an unhappy child? Take away their Internet. Want to see an unhappy customer? Take away their Internet.
I’ve argued before that very few things in the business realm can so swiftly decimate a business as a security breach. Not earthquake, nor tornado, not even war. Yet from a business perspective, Internet access is assumed, it is a given. I’m not sure there is any other area of business that is so vitally important and yet is just assumed. Good employees are not assumed, nor is growth, nor is brand equity, nor is operational excellence. But stable communications are assumed.
This is a big mistake—or to put it in a more business-friendly language, this represents less than ideal risk management. The fact is that no one understands the value of communications and network access better than attackers—that is, attackers really do understand the value of networking to your business, and they may understand this better than many business people do. They understand that if they can turn off your Internet (via DDOS attack), you might pay six figures to get the network back up and running. To them, launching a DDOS attack (which might cost as little as $100 with possible returns in the millions, via ransom) makes good business sense. To them, increasingly, DDOS attacks are a good ‘entrepreneurial’ opportunity, a way of pretty simply making a lot of money. Or, they may not like your stance on some political issue. Or they may not like a country you do business in. Or they may just not like you.
Yet there is a certain casualness with which businesses regard their networks. This attitude is probably changing, but not quickly enough. Sure, networks are technical things, and Board Members are not going to get involved with router configurations. But should today’s businesses incorporate IT robustness and Internet availability into their complete, corporate risk management programs? Yes they should.
To turn it the other way, businesses without clear plans on how to deal with network outages and DDOS attacks are basically putting their future into the hands of would-be attackers, who can launch attacks in a matter of moments, with no expertise, and for little to no money. At any moment, the Internet can turn into a war zone, and your business’ future can suddenly become at risk. You need to start planning for these kinds of eventualities—in short, to incorporate network and IT security firmly into corporate risk management. You need to imagine what happens to your business when the network goes down, consider the real costs of that, and what you can do to mitigate that risk sensibly.
Otherwise your customers may start crying like children who have had their candy (or tablets) taken away.