Domain name system (DNS) based attacks cost businesses more than $1m per incident, with the average organisation likely to face nine such attacks each year on average, and new research shows that the threat is only getting worse.

The 2019 Global DNS Threat Report, released today by DNS security firm EfficientIP, estimated that DNS attacks have increased by more than 30% globally over the past 12 months, with costs having doubled to $1.07m per attack.

The losses are as high as $1.64m for businesses in the United Kingdom, which saw costs sore by more than 100% year-over-year. United States-based businesses suffered average losses of $1.13m, while losses were lower than $950,000 for those in the Asia-Pacific market.

These losses were mostly a result of application downtime, loss of business and brand damage.

The DNS is the central network, essentially serving as the main directory between the user and the services on that network, helping the user to ensure that they reach the right site, application or service.

All traffic on a network goes through the DNS, and any issues can cause costly disruption to a business. DNS flooding, for example, is a type of distributed denial of service (DDoS) attack, where the attacker floods the DNS with traffic in order to stop the network from processing legitimate user requests.

However, the report found that DNS attacks were more likely to be carried out using phishing (47%) and malware (39%) than DDoS (30%).

No business is safe from DNS attacks

“With an average cost of $1m per attack, and a constant rise in frequency, organisations just cannot afford to ignore DNS security and need to implement it as an integral part of the strategic functional area of their security posture to protect their data and services,” Romain Fouchereau, research manager European security at market intelligence firm IDC, said.

That applies to all businesses. While financial gain is often the motive for these attacks, cybercriminals are often out for different rewards, such as sensitive data or reputational damage. The report concluded that all industries were at risk of suffering DNS attacks.

“It should be assumed that any company could potentially be hacked,” Jake Moore, cybersecurity specialist at ESET, previously told Verdict.

Financial service providers should be particularly concerned, with 88% of all businesses in the sector having suffered a DNS attack in the past 12 months. However, retailers are likely to suffer the greatest loss of business, with government organisations likely to suffer the greatest loss of sensitive information.

Businesses are waking up to cyber threats

With governments cracking down on poor data handling processes, businesses have been forced to face up to cybersecurity threats.

3 Things That Will Change the World Today

The European Union’s General Data Protection Regulation (GDPR) can be used to enforce fines of up to €20m or 4% of global annual turnover if a business fails to adequately protect its users’ data. As a result, businesses are increasingly spending on cybersecurity to protect against serious breaches, according to EfficientIP.

“While these figures are the worst we have seen in five years of research, the good news is that the importance of DNS is at last being widely recognised by businesses,” David Williamson, CEO of EfficientIP said.

“Mainstream organisations are now starting to leverage DNS as a key part of their security strategy to help with threat intelligence, policy control and automation, thus building a good foundation for their zero trust plan.”

Some 29% of businesses view monitoring DNS traffic for irregularities that may signal an attack as one of the best ways to improve data security. This is second to security network endpoints (32%), but viewed as more important than improving firewalls (22%).

While the introduction of data compliance regulations like GDPR haven’t led to a decrease in the number of attacks suffered, businesses do feel that such regulations have been beneficial. Some 81% said GDPR had pushed employers to educate their employees on data privacy, while 79% said it had improved security and 64% said it had heightened customer trust.


Read more: Victimology: In the shoes of a cybersecurity analyst