Why do organisations need a DDoS contingency plan?
Contingency planning is a necessary evil. Like dental checks or car servicing, it gets in the way of doing more useful things such as - in business terms - actually making money or delivering services. All the same, there is never a bad time to have a think about what might go wrong, and put measures in place that can either mitigate the risks, or minimise the potential damage.
Indeed, when it comes to information systems - some of which will inevitably store customer data - most organisations have no choice given data protection law. An added complication is how to decide what actually constitutes a valid risk, however. While some threats seem genuine - a 'clear and present danger' if you will - others fall into the category of problems that only happen to other people.
Distributed Denial of Service attacks are a case in point - that is, attacks which prevent computer systems or web sites form being accessed. In the past, DDoS was seen as a threat to large multinationals, potentially from people with an axe to grind. If there is one thing that we can learn from loose-knit groups such as Anonymous however, it is that no organisation is immune. Public or private, corporate monolith or independent body, all have the potential to be attacked, for money, retribution or simply to prove a point.
Indeed, more savvy organisations are now including DDoS requirements in their procurement policies. Suppliers including developers and web site agencies are being asked to state how they would respond to an attack, illustrating just how important the issue has become.
So, how should organisations ensure they are on the front foot when it comes to DDoS? Without needing to draw up fully fledged business continuity policy, there are a few basic actions that are at the heart of any well-constructed plan. The first of which, simply, is to know what systems might be affected. Most, if not all organisations have a web site; meanwhile, the advent of hosted email, blogging, social networking and Software as a Service apps result in a whole load more online 'services' whose access can be 'denied'.
The next step is to consider what might be the impact on the company, should a DDoS attack take place with respect to any of these ports-of-entry. The two main concerns are the scale of impact on day-to-day business, and the legal ramifications should customer data be compromised in any way. The result is a priority list - systems and services that require attention either because their loss would impact business, or because it would cause a compliance breach.
From this point, it is not an enormous leap to come up with a contingency plan. While this stage in the process may seem like unnecessary overhead now, it is far better to treat the improbable before it has happened, than be faced with the consequences when it is already too late. Indeed, your business may depend on it.