A Custom Technology Adoption Profile Commissioned By Bell Canada June 2014 Protecting Customer Experience Against Distributed Denial Of Service (DDoS) Introduction In today s age of the customer, a company s livelihood depends on providing customers with a superior, consistent customer experience across all touchpoints. Today s top business priorities all link to providing a customer experience that differentiates a company from its competitors. One major threat to providing this customer experience is distributed denial of service (DDoS) attacks, malicious attacks designed to disrupt the digital customer experience. These active and aggressive attacks on customer-facing business technology represent a significant threat to the customer experience, brand loyalty, and in many cases the future viability of the firm. Despite the significant financial threat of DDoS attacks, many organizations have yet to embrace technologies to protect themselves from such attacks, relying on existing on-premises firewalls and intrusion detection system (IDS) technology. Many organizations need more investment and education to fully protect customer trust, experience, and loyalty from service interruptions caused by DDoS attacks. This Bell Canada-commissioned profile of Canadian decision-makers directly involved with online customer-facing systems involved in revenue generation evaluates DDoS awareness, perceptions, and preparedness based on Forrester s own market data and a custom study of the same audience.
1 In The New Data Economy, Customer Experience Is Multichannel The customer experience now extends across all touchpoints whenever and wherever the customer cares to do business. Today s empowered customer expects and demands superior, consistent, and differentiated service. Increasingly, this channel is multimodal, including web and mobile, and customer expectations regarding availability and ease of use are increasing. This means: Customer satisfaction depends on the performance of your digital systems. As customers digital expectations grow, the more critical it becomes that customers are able to connect with a company anywhere, at any time, any way they want to. Any kind of service disruption will negatively influence the customer experience. According to our survey of 66 Canadian decision-makers, from all of the major Canadian industries and directly involved with online customer-facing systems involved in revenue generation, any kind of disruption will negatively affect the top goals of organizations today. Specifically, two-thirds of respondents said that prolonged service interruption to customer-facing systems would have a critical impact on customer satisfaction (see Figure 1). Over half of respondents said it would have a critical impact on brand perception (56%), customer retention (55%), and customer acquisition (52%). Customer Acquisition And Retention Are The Top Business Priorities Today Customers demand high-performing multichannel access to company products and services. Today, companies are competing for the attention and loyalty of technologyempowered customers. Winning new customers is always more expensive when compared with serving existing customers. Companies should keep the following in mind: Customers are more vocal and visible with regard to their buying experiences. Social media makes each satisfied customer a potential ambassador and each dissatisfied customer a potential critic. Customer experience drives customer satisfaction, and this drives customer retention and revenue growth. FIGURE 1 Customer Experience Goals Are Most Affected By Prolonged Service Interruptions How would you rate the impact and criticality of a prolonged service interruption of more than 1 to 2 hours to your customer-facing systems on the following organizational goals? Very critical 1 Critical 2 Customer satisfaction 47% 20% 67% Impact on brand 23% 33% Customer retention 23% 32% Customer acquisition 14% 38% Future revenue 24% 26% Current revenue 29% 20% 56% 55% 52% 50% 49%
2 Customer experience must be a top business priority. According to our Forrsights Business Decision-Makers Survey, Q4 2012, North American marketing decisionmakers top business priorities for the next year were to acquire and retain customers, grow profitable company revenue, and address rising customer expectations and improve customer satisfaction (see Figure 2). These goals directly tie into the customer being able to access company resources at any time, over any channel. DDoS Must Be Top Of Mind With Both Marketing And Technology Decision-Makers Marketing executives, historically, have not focused on technology issues. This has been the purview of the CIO. However, since so much of the customer experience relies on smooth-functioning technology, marketing executives ignore this at their own risk. In more and more cases, however, the marketing executive is the chief stakeholder in technology issues that affect the company s customers. DDoS attacks will disrupt the customer experience. These attacks represent a threat to not only customer satisfaction, but also brand loyalty, and in many cases the future viability of the firm. A successful DDoS attack will translate into a real financial loss in terms of both increased direct operational costs as well as potential lost current and future revenue. Executives need to understand that: The impacts of a DDoS attack are far reaching. According to our survey of Canadian decision-makers directly involved with online customer-facing systems involved in revenue generation, the top business concerns related to DDoS attacks include reputation loss (30%) and financial loss due to impaired service (27%) (see Figure 3). The impact of DDoS is costly. According to our Forrsights Security Survey, Q2 2013, more than 30% of North American IT security decision-makers said that DDoS attacks cost over $100,000 per security incident related to real-time communications (see Figure 4). In Canada, five of seven decision-makers surveyed reported costs between $100,000 and $999,999 for specific DDoS attacks. FIGURE 2 Top Business Priorities Are All Linked To Customer Experience Which of the following initiatives are likely to be your organization s top business priorities over the next 12 months? Critical priority High priority Acquire and retain customers 51% 33% 84% Grow overall company revenue 47% 40% Address the rising expectations of customers and improve customer satisfaction 22% 42% Improve the firm s ability to innovate 21% 42% Grow in emerging markets 20% 30% Manage brand consistency globally 18% 28% Improve the quality of our products/services 16% 39% Comply with government regulations and requirements 14% 34% 87% 64% 63% 50% 46% 55% 48% Base: 153 North American marketing decision-makers Source: Forrsights Business Decision-Makers Survey, Q4 2012, Forrester Research, Inc.
3 FIGURE 3 Top Business Concerns Related To DDoS Attacks What is your top business concern related to DDoS attacks? Reputation loss 30% Direct financial loss due to outage/service degradation 27% Impacts on SLAs 18% Employee efficiency 12% DDoS is not a threat to my organization 9% Impact on Internet organization 3% Don t know 0% (Percentages may not total 100 due to rounding) FIGURE 4 The Estimated Cost Of DDoS Attacks What is your estimate of the cost per security incident related to real-time communications? $10 million or more 1% $1 million to $9,999,999 5% $100,000 to $999,999 25% $10,000 to $99,999 35% $1,000 to $9,999 20% Less than $1,000 9% Base: 114 IT security decision-makers in North America ( Don t know responses excluded) Source: Forrsights Security Survey, Q2 2013, Forrester Research, Inc.
4 Companies Need To Improve Investment In DDoS To Protect Customer Trust, Experience, And Loyalty The respondents in our survey recognize the importance of DDoS protection, but in many cases use a simplified approach focusing on only one type of attack. There are many ways to affect a DDoS attack. These include volumebased attacks that attempt to overwhelm networks by saturating network bandwidth with bogus traffic, network protocol attacks that overwhelm network protection devices such as firewalls, and application attacks that attack web servers and operating systems by making large numbers of service requests with the intent to crash the system. Therefore, using only one approach for DDoS defense, such as a volume-based defense, is not enough. The correct approach is to have a multifactor defense that can defend against all three types of attacks. Our survey showed that: Companies need to invest in the right types of DDoS protection. Our survey showed that while many Canadian companies are investing in DDoS protection, 26% have no DDoS protection at all or are relying on firewalls and IDSes that are ineffective against these types of attacks. DDoS implementations vary with a majority of respondents. More than 60% of survey respondents have some type of DDoS protection in place; however, the defense architecture and comprehensiveness of these defenses vary (see Figure 5). Some respondents use premises-based equipment and cloud and network-based providers (23%); some use both premises-based equipment and cloud providers but not network-based providers (14%); some use only premises-based equipment (12%); and some use only a cloud provider (8%). Companies need more education on the multilayer DDoS protection. Over two-thirds of survey respondents rated themselves as only somewhat knowledgeable or less about the advantages and disadvantages of multilayer DDoS protection (see Figure 6). Companies that find themselves in this position should consider the impact of multilayer DDoS protection on their hard-earned customer relationships. Many companies need to broaden their investment in DDoS countermeasures. DDoS attacks are increasing and using different approaches in the same attack. Because so much of commerce now leverages multiple channels, including web and mobile, companies need to invest in technology to protect all modes of customer interaction.
5 FIGURE 5 Over Half Of Respondents Have Some Form Of DDoS Protection, But Is It Enough? How are you currently protecting your organization from distributed denial of service attacks that could compromise the availability of your customer-facing systems in 2014-2015? Using purchased DDoS technology operating in your data center as primary protection and DDoS protection from a cloud or network-based provider as secondary protection 23% Using purchased technology operating in your data center as primary and a cloud-based scrubbing service as secondary 14% Using purchased DDoS technology operating in your data center only Using DDoS protection from a cloud or network-based provider only 8% 12% 63% Using a cloud-based scrubbing service only 6% No dedicated solution, our firewalls and intrusion protection solutions are fully capable 26% Don t know 12% (Percentages may not total 100 due to rounding) FIGURE 6 More Education Is Needed Around Multilayer DDoS Protection How knowledgeable are you and your staff in the advantages and disadvantages of using different layers of defense to protect against different types of distributed denial of service attacks (multilayer DDoS protection)? Very knowledgeable 1 12% Knowledgeable 2 20% Somewhat knowledgeable 3 33% Not very knowledgeable 4 32% Not knowledgeable at all 5 3%
6 Methodology This Technology Adoption Profile was commissioned by Bell Canada. To create this profile, Forrester leveraged its Forrsights Security Survey, Q2 2013, and Forrsights Business Decision-Makers Survey, Q4 2012. Forrester Consulting supplemented this data with custom survey questions asked of 66 Canadian decision-makers directly involved with online customer-facing systems involved in revenue generation. Survey respondents included decision-makers in sales, marketing, and IT at companies with over 100 employees across Canada. Respondents identified themselves as either being significantly involved in the decision-making around their company s customer-facing systems involved in revenue generation, or operating those systems on a daily basis. The auxiliary custom survey was conducted in March 2014. For more information on Forrester s data panel and Tech Industry Consulting services, visit www.forrester.com. ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. 1-M1IP85