What to Consider When Developing a Cybersecurity Strategy

As consumers conduct more and more business online, organizations must secure their content and data to respond to the increase in digital engagement. And the number of cybersecurity threats is only predicted to rise — that’s why hoping your company won’t be the next front-page tragedy is unsustainable. CIOs and technology leaders are too often at the whim of the next great threat. When a breach or attack does occur, they must scramble to resolve the problem or apply a patch before any further damage can take place.

And marketers can't treat security as “someone else’s problem” and pass the buck to IT and legal teams. The consequences that these incidents can have on brand reputation can be severe. In fact, according to a 2019 Consumer Survey by software company Ping Identity, 81% of consumers no longer wish to interact with organizations that have had a data breach. Organizations must proactively plan how they’ll mitigate security threats for the highest probability of success. 

To ensure a secure foundation for all their digital-first initiatives, organizations need to embrace an infrastructure that’s secure and performant by design, adheres to industry compliance standards, and is agile enough to evolve with the rising standards of today’s digitally native customers. As the digital landscape changes to include new technologies, your response to security needs to morph and mature too. Being prepared requires having the right systems and processes in place, as well as regular communications between marketing operations, IT teams, and all vendors and systems that contribute to your total digital customer experience. 

Guard against potential data risks

Today’s security threat landscape is vast, including phishing emails, malware, malicious bots, distributed denial of service (DDoS) attacks, ransomware, you name it. Attacks are meant to steal information or disrupt traffic, but it’s much easier (and less costly) to avoid a security incident than it is to try and mend your organization’s brand image after a breach occurs. You need to know who has access to what data and set guidelines and restrictions for how data can be used. When customers make the choice to share personal details with your organization, they expect that information to be properly stored, not altered or mishandled. Plus, with the rise of data protection regulations, depending on where your organization operates, you may be legally required to adhere to higher security standards or face hefty fines.

If an attack or breach does occur, brands need to communicate that incident quickly and honestly and take the necessary steps to rectify it. If a brand is caught trying to cover up or downplay an issue, it will only cause further damage to their reputation and oftentimes result in serious legal penalties.

For instance, in addition to paying $148 million to settle a lawsuit stemming from its cover-up of a 2016 data breach, Uber was also hit with fines in the EU for violating local data privacy laws. That example is why ensuring security from the start, and not as a response to a breach or malicious attack, is critical in delivering digital experiences. Because DDoS attacks are now one of the most prevalent types of attacks, growing in both volume of attacks and duration, let’s start by understanding the risks associated with this common threat.

What is a DDoS attack?

DDoS attacks are a growing concern for all organizations. Increasing in frequency and in severity — rising 203% in the first six months of 2022 versus the same timeframe in 2021 — DDoS attacks are a challenge for any IT organization. Fortunately, there are solutions that can mitigate them for you. Before we dive into those solutions, let’s define exactly what DDoS attacks are.

DDoS describes a class of attacks where a perpetrator intentionally cripples a computer system using a large, distributed network of compromised computers (called a botnet) to generate a flood of malicious requests that overwhelm the computer system’s ability to respond to legitimate requests. 

Here’s a simple analogy: Imagine a pizza shop that accepts phone-in orders through a single phone line. An attacker targeting the shop could keep that phone line as busy as possible by calling in repeatedly, preventing legitimate customers from getting through and placing an order. If the pizza shop wanted to sidestep this possibility, it could install a new phone line or block the attacker’s phone number. But if the attacker uses multiple phone lines and calls from a new phone number each time, their efforts would completely negate the pizza shop’s attempt to shut them down.

The impact of a DDoS attack

A sustained flood of attack traffic can quickly overwhelm an organization’s network and application infrastructure and prevent any legitimate traffic from getting through. Magnify the example of the pizza shop by thousands of attackers, and you can imagine the impact that a DDoS attack would have on your organization’s digital business. 

In fact, the average cost of a DDoS attack in the U.S. is $218,000. This cost can include:

• Involvement by business and technical stakeholders
• Infrastructure costs
• IT security consultants
• Risk management consultants
• Lawyers and solicitors
• Auditors and accountants
• Corporate image consultants 

DDoS attacks can happen to any organization large or small, public or private. Hackers don’t discriminate when they pick their target, but chances are the more you have to lose, the more vulnerable your organization becomes. Whether your organization handles private data and critically important information, or it’s an online-only organization that lives and dies by its website traffic, DDoS attacks can be withering and have serious repercussions.

DDoS attacks also introduce a breadth of other serious implications, including the theft of sensitive data, a productivity decline, regulatory action or lawsuits, reputational damage (with associated repair costs), and lost customers, business opportunities, intellectual property, and revenue. Luckily, attacks can be addressed and even prevented with security best practices and technology.

The alphabet soup of cyber protections

HTTPS, WAF, SSL — common ways to thwart threats and keep your site secure. You likely have some – if not all – of these security components already in place, but not all are created equally. Let’s start by defining each security protection:

• HTTPS: This is the secure version of hypertext transfer protocol (HTTP). The “s” is tacked on to indicate that the data transfer between the client and server is secured with either a secure socket layer (SSL) or transport layer security (TLS).
• IP firewalls: With a firewall to manage traffic in and out of a network, you can block or allow specific internet protocol (IP) numbers, autonomous system numbers (ASNs), or even entire countries.
• SSL: This is one of the key methods for securing data as it flows across the internet. Your site has a certificate that the user’s client recognizes to set up the secure connection. Once this transaction is complete, data can travel across a secure connection from the site to the client.
• TLS: Also mentioned above, transport layer security is another method of establishing a secure connection between a client and site. Like SSL, TLS is based on an encryption certification for data transmitted between the site and client.
• WAF: Web access firewalls (WAFs) are configured to detect suspicious behavior in web traffic entering a site. WAFs are primarily used to prevent attacks like DDoS and SQL injection.
   

The ultimate decision on security depends on your site’s purpose now and your vision for it tomorrow. The key is ensuring  decisions you make today allow your security plan to easily evolve in the future. For example, some vendors package free security offerings that don’t offer the necessary customizations or protections you need. SSL certificates may be included with some cloud hosting providers’ offerings, locking you into their choice of SSL vendors. Adding your own provider to the mix may mean other features will be degraded or unavailable. Different providers offer various types of protections — some are ironclad, while others may not offer the security support you need to protect yourself from an attack.

So, when considering your options, the decision isn’t straightforward. You may have a combination of requirements based on your objectives.

Get peace of mind with Acquia Edge Security

“Security” isn’t just a box you check off once and never worry about again. Just as the number of devices, channels, and ways to access content continue to expand, so do the potential risks. 

At Acquia, our platform is built with security best practices from the ground up. Our security operations and support spans our infrastructure provider, three Acquia security teams dedicated to 24/7 vigilance, and required security training for every employee. Acquia also complies with SOC 1, SOC 2, PCI, HIPAA, ISO 27001, CSA STAR, GDPR, and FedRAMP and is a founding member of the Drupal Steward Program. Introduced by the Drupal Association and the Drupal Security Team, the program blocks some of the most serious and dangerous Drupal security vulnerabilities by establishing a network-level mitigation strategy. That approach ensures that all Acquia customers are protected from major identified vulnerabilities, giving clients the freedom to schedule their Drupal patching in their own time rather than working reactively. 

To further protect our customers from becoming the next online threat victims, Acquia provides a preemptive mitigation solution called Acquia Edge Security. When customers purchase Edge, they get a WAF and DDoS mitigation solution that delivers hands-off security monitoring and real-time attack mitigation. The features include preemptive identification and mitigation in under 10 seconds of any risk or impacts on customer site and application responsiveness tied to unpredictable, catastrophic security threats. Edge is regularly updated using threat intelligence collected by dedicated security researchers and public sources, and it knows which behaviors to track and block so attackers have a harder time compromising or taking down a website. It even monitors and differentiates bot traffic on your site to automatically filter malicious bots. Acquia Edge provides peace of mind that isn’t attainable without a WAF and DDoS mitigation service in place. In addition, it protects your site from the full range of attacks from low-level “noisy” attacks through very large-scale attacks, both at the network and application level. There’s no substitute when the availability of your site is paramount.

Organizations no longer need to rely solely on hope to survive an online attack. Be proactive by understanding the risks and gain confidence that your organization will be prepared for current and future security threats. Learn more about safeguarding your organization’s digital infrastructure and brand reputation by downloading the free e-book, Security and Digital Experience: A Guide for Marketers.