If not secured properly, DNS attacks could cost businesses over $2 million (£1.5 million) annually in data exfiltration, loss of business or application downtime, says a new report from EfficientIP.
According to the report, 94 percent claim DNS security is critical for their business. This is unsurprising as in the last 12 months, 76 percent of organisations around the world have been subjected to a DNS attack and a third suffered data theft.
Respondents included CISOs, CIOs, CTOs, IT managers, security managers and network managers from organisations with more than 1,000 employees, carried out among 1,000 respondents across Asia-Pacific, Europe and North America.
The leading causes were malware (35 percent), DDoS (32 percent), cache poisoning (23 percent), DNS tunneling (22 percent) or zero-day exploits (19 percent).
On a global scale, the results varied widely. More awareness of the top five DNS-based attacks was demonstrated by UK and US respondents (39 percent) than those in Spain (38 percent), Australia (36 percent), Germany (32 percent) and France (27 percent), but less than India (50 percent) and Singapore (47 percent).
The attacks that UK organisations are the most aware of include DNS-based malware (52 percent), DDoS (43 percent), DNS tunneling (39 percent), cache poisoning (34 percent) and zero-day exploits (28 percent).
Almost a third (29 percent) of UK organisations experienced data exfiltration via DNS. Of those, 16 percent had sensitive customer information stolen and 15 percent intellectual property stolen.
A third (34 percent) of UK organisations have experienced more than five attacks in the last 12 months.
For half of those who experienced a DNS attack, it took more than six hours to mitigate it, which required more than four members of staff in 34 percent of cases. For many organisations, this may be their entire network security team.
Almost all (99 percent) organisations in the UK did not apply the necessary security patches, compared to 83 percent globally.
“Despite the evolving threat landscape and the increase in cyber-attacks, organisations across the globe and their IT departments still don't fully appreciate the risks from DNS-based attacks,” said David Williamson, CEO at EfficientIP, in a release. “In less than a year, GDPR will come into effect, so organisations really need to start rethinking their security in order to manage today's threats and save their business from fines of up to £20 million or four percent of global revenue.”