Quite a lot, it seems. The Ponemon Institute study estimates that the average cost of one minute of downtime due to a DDoS attack is $22,000. With an average downtime of 54 minutes per DDoS attack, this amounts to a heavy toll. Obviously, the costs depend on several variables, such as your business segment, the volume of online business, competitors, and your brand.
Here are a few pointers for assessing the quantitative and qualitative business impacts of a DDoS attack.
Direct revenue losses depend on the industry, but organizations that rely on the Internet for business suffer the most. The graph below from the Ponemon study outlines the estimated cost per minute of downtime for three different industries. The estimated cost includes lost traffic, end user productivity, and lost revenues. As can be seen, financial service organizations experience the highest costs, followed by organizations within the health & pharmaceuticals industry and the public sector industry.
Attackers often plan the timing of their attack in order to maximize financial damage. For instance, online retailers would likely be targeted during the heavy traffic of holiday shopping seasons. Beyond lost revenue, financial losses may include other elements, such as the cost of investigating and responding to an attack, expenses related to customer support and public relations, and potentially even financial penalties or lawsuits.
Public information about the exact expenses related to DDoS attacks is limited. One known example is the wave of DDoS attacks that targeted Yahoo and Amazon in 2000, which was estimated to have a cost over $1.2 billion in damages. Sony spent more than $170M on cleanup related to a DDoS attack and loss of data. Some analysts estimate the costs to be even higher, amounting to billions of dollars in damages. Regardless of the exact figure, there is no doubt that the cost incurred by a DDoS attack can be exorbitantly high.
When asked about the most negative consequences of a cyber intrusion, organizations rank reputational damage third, following intellectual property at number one and productivity losses at number two.
Public news about your company falling victim to a cyber-attack and thus, compromising customer data, is always bad news. The ensuing bad publicity can be limited, but it may also have serious effects on reputation and future sales. Regaining the trust of the public, press, and customers takes longer and always requires much effort.
Online customers have high expectations in regard to quick access to information. According to Microsoft, a customer will be less likely to visit a website if it is slower than a competitor site by more than 250 milliseconds. Likewise, it is not surprising that a customer who cannot readily reach a website for information, services, or purchases becomes unsatisfied. This category of customer complains, requests financial restitution, or simply switches to a competitor altogether.
Customers that can prove they suffered damages by the unavailability of online services may pursue financial restitution by filing lawsuits, arguing that the company did not take enough precautions against the possibility of attacks. In one example, a major stock exchange hit by a DDoS attack in 2011 was forced to suspend trading and pay penalties to trading firms to compensate for their inability to provide normal service.
While the overall business impact of a DDoS attack is difficult to estimate, it is always costly – in financial losses, reputational damage, and customer attrition. Protecting your network against a DDoS attack is much safer, from both a security and a monetary standpoint.