Australian companies to this point have not been impacted by IoT device-driven DDoS botnets to the extent of other organisations abroad, but according to one industry executive, our relative lack of DDoS protection makes local companies particularly vulnerable.

“Worryingly, Australia and the rest of APAC trails behind global counterparts when it comes to DDoS protection,” according to Neustar’s Australian general manager, Robin Schmitt.

“Almost half of all APAC organisations are taking over three hours to detect a DDoS attack and an extra three hours to respond to one, which is significantly higher than global averages,” he told IoT Hub.

The comparatively slow uptake of IoT devices in Australia and New Zealand meant that compromised devices locally only comprised less than one percent of all devices hacked during the recent Krebs on Security DDoS attack.

According to Neustar, the bulk of compromised devices were found in the US, Brazil and Vietnam, with each country contributing over ten percent of the attack surface.

However, as IoT devices start to increase in use in Australia, so too will the risk that more of them will be used to perpetrate attacks.

“As the number of IoT devices in use rises dramatically over the next decade, this offers fertile ground for botnet herders to seize more and more vulnerable devices to hit organisations with higher volume DDoS attacks,” Schmitt said.

The need for standards and regulation

Schmitt said that one way to reduce the risk of IoT-driven DDoS attacks is to ensure that robust standards are implemented and adhered to.

“IoT globally needs standards and certifications, to help propagate best practice, improve quality and implement security controls,” he explained.

“As the IoT industry continues to evolve, collaborating openly and adopting standards and introducing certifications will strengthen the industry as a whole.”

He also said that regulatory guidelines should also be implemented, and end users need to be better educated of the risks of IoT devices.

“Given the nature of the devices being compromised, appropriate certification frameworks and consumer awareness campaigns are required within Australia to control manufacturing and direct consumers away from poorly secured devices,” he said.

“This is a lengthy process, so in the meantime, consumers should look to purchase products from known brands than promise regular security updates and regular firmware patches.”

Australian industry and government could take a leaf out of the European Commission’s book, with the governing body drafting new security legislation for IoT devices, including a certification system notifying consumers of the level of security of their devices.

“The aim of this proposed regulation is to mitigate cybersecurity risks and ensure customer confidence in IoT devices, particularly in light of Europe’s plans to boost internet speeds over the next decade,” Schmitt said.

“Time will tell if Australian lawmakers decide to follow in the footsteps of Europe in developing a certification framework to combat the increasing threat of botnets.”

Preparation should start now

Schmitt said the financial losses at stake for not taking action are great enough such that companies should start strengthening their networks now.

“With the cost of a network outage during peak times costing almost half of all organisations $100,000 or more, understanding the changing risk profile is key,” he said.

“Organisations should review the risk imposed and consider varying their defences in line with increased risk exposure.”

Schmitt recommends a hybrid DDoS mitigation service to combat this growing threat, with protection for both on-premise and cloud resources.

“For the IoT-enabled business, in addition to applying appropriate security controls to IoT devices within the organisation, the ability to confidently recognise millions of things, within and outside of the organisation, will become more and more critical,” he added.

“For most businesses, this will require upgraded security controls and device identity management capabilities.

“Having said that, if a desired device can’t be secured, it shouldn’t be purchased no matter how amazing the functionality and connectivity is.”