Nearly two-fifths (39%) of European businesses suffered DNS-related data theft over the past year, raising fears over GDPR non-compliance, according to EfficientIP.
The DNS security firm released findings from interviews with 400 respondents in Europe as part of its 2018 Global DNS Threat Report.
It found European companies are suffering a greater level of DNS-related data theft than the global average of 33%. The average cost per DNS attack has also risen strongly over the past year in Europe, by 43% to reach €734,000 — higher than North America and Asia Pacific.
However, in some countries the increase was even greater: in the UK the figure soared 105%, although firms paid a below-average €684,000. French organizations had the highest cost per attack at €847,000.
The DNS layer is always-on and running in the background, but as such often ignored by system administrators, despite containing multiple vulnerabilities thanks to its open design. That means many whitelist traffic, allowing attacks to proliferate.
These can include denial of service, compromising DNS servers with malware to take the user to malicious or phishing sites, and exfiltrating data via DNS tunnelling techniques.
The top five DNS-based attacks in Europe fall in line with the global top five, according to EfficientIP.
DNS-based malware (39%) was most popular, followed by phishing (34%), DNS DDoS attacks (20%), DNS tunneling (19%), domain lock-up (18%). The latter is a kind of denial-of-service attack in which domains and resolvers set-up by the attackers send random packets to DNS resolvers, “locking up” their resources so they are unable to deal with legitimate requests.
David Williamson, CEO of EfficientIP, said the findings are important in the context of the GDPR, which mandates that organizations follow best practices in securing customer and employee data.
“Surprisingly, our research shows European organizations have invested the least globally in technology which can prevent data theft,” he added. “In the year ahead, it will be interesting to see how European companies prevent data theft and avoid regulatory fines.”