Distributed denial-of-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery.Any conversation that involved breaches this year included the statement, \u201cIt\u2019s not if but when.\u201d The expectation has become, as IDC\u2019s Christina Richmond, program director, security services, said, \u201cBreach is a foregone conclusion.\u201dFor many companies, the attacks are frequent and more advanced. Richmond said, "Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.\u201dAccording to a recent report from Neustar, the odds of getting attacked are one in two, but once an enterprise has been attacked, the likelihood that they will be attacked again is 80 percent. The report also talked about the new trends in both the size and frequency of DDoS attacks. \u00a0\u201cIf the attacker\u2019s goal isn\u2019t to cause an outage but to disrupt, he doesn\u2019t need to craft an attack of extra-large proportions. A SYN Flood attack is a good example. The attacker sends enough SYN requests to a company\u2019s system to consume server resources and stall legitimate traffic,\u201d the report said.The method of attacks have changed in complexity and variability. Attackers don\u2019t launch a single attack but rather send out waves and multiple vectors. \u201cThey may launch an email attack or attack an application or a server. They may launch multiple attacks in different vectors, coming from different places and attacking different targets,\u201d said Joe Loveless, senior security manager, Neustar. \u00a0Larger attacks are easier to detect and mitigate, but these smaller, frequent attacks result in more significant damage, Loveless said. \u201cThey create chaos but still leave access open somewhere else,\u201d he continued. The result, according to Neustar\u2019s report is that one in four companies experience an actual theft of data or funds.Another growing trend in DDoS is ransom. \u201cExtortion is becoming more common, and companies are paying ransom to avoid being attacked but they are getting attacked anyway,\u201d Loveless said.These attacks are particularly concerning because of the attacker\u2019s stealthy ability to infiltrate the security environment during a disruption. Once they have access, they take a slow and steady approach and often go undetected until they have reached their target: valuable corporate data or funds.Extortion is becoming more common, and companies are paying ransom to avoid being attacked but they are getting attacked anyway.Joe Loveless, senior security manager, Neustar\u201cIDC believes that the customer is often the first to report a DDoS attack because their user experience suffers when they can't access a web site to buy a product, pay a bill, or find support,\u201d Richmond said. The result is not only a financial loss, but a strike against brand and reputation. \u00a0According to Dave Larson COO, Corero Network Security, \u201cA number of things are going on in the landscape and it\u2019s hard to say whether these are rapidly changing or we are just starting to see them.\u201dDenying service, which seems like it would have to be a big giant attack, is actually the result of something much smaller. \u201cAlmost 72% of attacks last less than five minutes and 93% are less than 1GB per second in capacity,\u201d said Larson.The attacks, though, are not about denying service. Larson said, \u201cThese aren\u2019t just randomly occurring. People are orchestrating them, and they have to be doing this for a reason. We are starting to see material data breaches that included DDoS attacks as part of a multi vector intrusion.\u201dThese smoke screen style attacks have significant impact on an enterprise because by design, they are distracting, which leaves security professionals looking in all the wrong places. \u201cDDoS itself isn\u2019t creating the data compromise, but if it is causing you to look in the wrong place, you could be one of the very many organizations that have already been breached and you don\u2019t know it,\u201d said Larson.Constantly monitoring the environment to make sure that no unknown traffic is crawling around in the network will help to prevent a data compromise after a DDoS attack. Larson said, \u201cYou can imagine that more down in the weeds the impact could be that your environment is being scanned and crawled and floor planned. The bad guys are figuring out what they need to gain access.\u201dThe cost of recovering from an attack is significant, particularly for small and midsize businesses. In a special report on security risks, Kaspersky Labs noted, \u201cOn average, a DDoS attack costs SMBs more than $50K in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.\u201dFor some reason, though, companies still aren\u2019t convinced that investing in security against DDoS attacks is money well spent. The Kaspersky Labs survey found that only around half of respondents (56% of IT professionals) believe that spending money to prevent or mitigate an attack would be worth the investment.Evgeny Vigovsky, head of Kaspersky DDoS Protection at Kaspersky Labs said, \u201cProtection from DDoS attacks is an important part of risk management, yet only 34% of survey respondents have fully implemented DDoS prevention systems of any type.\u201dThere are many factors to consider in evaluating risks for enterprises, from dependence on online services to other resources. \u201cIn most cases, online services--websites, emails, databases--are critical. Without them, normal workflow stops,\u201d said Vigovsky.\u201cCosts associated with failed online services are bigger than expenses for prevention solutions, but unfortunately, there are still companies that do not include DDoS attacks in their risk management strategy,\u201d Vigovsky continued.The risks of not investing in DDoS prevention and protection are more than monetary. \u201cWhen a company has to mitigate an attack that is taking place instead of preventing an attack from occurring, then they will pay a steep price for not only lost business contracts and damaged reputation, but also for an urgent solution too,\u201d said Vigovsky.Echoing the need for prevention and protection, Larson said, \u201cAll reasonably likely to be attacked environments should have DDoS defense on the perimeter.\u201dOne measure enterprises should take to build a culture that prioritizes security and prepares for the inevitable of an attack is, \u201cSimulating worst-case scenarios in order to create a corresponding cybersecurity strategy,\u201d said Vigovsky.Enterprises can take steps toward making security a central concern for all. \u201cA comprehensive strategy should include a combination of IT solutions, security policies and prepared staff to help prevent cyberattacks,\u201d Vigovsky said.Richmond said, \u201cIDC believes that security needs to move toward being a positive contributor to the business. Security in and of and for and by itself no longer works.\u201d Shifting the corporate culture to one that centralizes a concern for security must be a priority enterprises.In order to effectively make that change, executives have to buy in to an inclusive plan that is well designed and focused on cross communication. DDoS attacks impact more than security, and everyone from marketing to public relations shares an interest in preventing these attacks and minimizing their impact.