"We have no defenses against large-scale DDoS. None. We are talking with our Web host, to see what they can do to help, but right now we have nothing."

The speaker is the senior IT executive at a very large credit union. He made his remarks – with a promise of anonymity – during a break at the mid-May Finovate conference in San Francisco.

He is not alone. Kirk Drake, CEO of Ongoing Operations, a tech-focused CUSO in Maryland, said that by his estimate "99% of credit unions do not have DDoS protection."

In fact the IT executive at Finovate is doing better than most. That's because his credit union has sufficient weaponry to handle lower-grade DDoS – unleashed by a maladapted member with a gripe, or perhaps a former employee. Most credit unions don't even have that much.

But were his institution to come within the sights of the al Qassam Cyber Fighters – who have taken down Chase and PNC as well as Patelco – or the Syrian Electronic Army, which recently took down the New York Times and the Financial Times, it would be game, set, match as his credit union's website would collapse under the sophisticated and powerful barrages unleashed by these well-organized, well-funded organizations.

He knows that but he also knows that right now there is no money in his budget to purchase high-grade DDoS protection – and he frankly is hoping he won't need it.

Such hopes were in fact bolstered by the fizzling out of the heavily publicized May 7 assault against many dozens of banks and credit unions that, said OpUSA, the hacktivist group that announced the attacks, would cripple the United States' financial systems.

That may be more of a comment on OpUSA's impotence than on DDoS, though, because Fernandez said that Prolexic has seen steady growth in number and complexity of DDoS attacks and he also said that the number of attacks used as "smokescreens to camouflage criminal activity is growing."

Perhaps 15% of big DDoS attacks now have some kind of criminal component built in, Fernandez said.

"DDoS is no longer simply a nuisance. It's becoming a criminal threat," he said.

Another possible lesson learned from the May 7 non-event, per Marc Gaffan, a co-founder of website security firm Incapsula, is that those who can, do, those who can't bluff. "If one was really able to launch a meaningful attack and gain the attention due to its impact, why would they warn the target?"

Gaffan's contention: It was fairly obvious all along that May 7 was going to amount to nothing – but he also insisted that DDoS, mounted by other, more sophisticated and organized groups, is indeed a threat to reckon with.

What do credit unions in fact need to be doing?

At CUNA Mutual in Wisconsin, risk expert Ken Otsuka said, "Good came out of the May 7th event. It created new awareness among credit unions that they need to do something about DDoS. Credit unions now know they cannot let their defenses down."

Drake, whose business continuity CUSO is mounting what he has said will be a budget- friendly DDoS mitigation strategy, plainly predicted that by year end just about every credit union with assets over $1 billion will have comprehensive DDoS mitigation.

As for the smaller institutions, Drake does not see much activity in regard to building defenses, at least not in the short term. Most will continue with no real DDoS mitigation policy.

But – and this is the important part – he sees that changing as more institutions find themselves taken down, often for many days.

DDoS – said Drake and multiple other experts – has become part of the hacktivist and cyber criminal arsenal and, quite probably, attacks will grow both in number and severity.

That is why Drake predicted: "Within five years most credit unions over $200 million in assets will have DDoS tools in place. They will need them and they will know that."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.