A few months ago, a friend of mine was involved in a serious car accident. An oncoming truck strayed out of its lane and side-swiped the entire length of her car. Luckily, the car’s airbags and seat belts protected her from severe bodily harm, and a few weeks later (and with a brand new car…) she was up and about again.
I was reminded of this story a few weeks ago during a discussion with a customer. They hadn’t been attacked in a long time and began to wonder whether they still needed DDoS protection at all.
But just as we would never take out the airbags out of a car because we have never been involved in a serious accident, so we shouldn’t cut back on cyber defenses just because we hadn’t had a major attack in a while.
The Probability is Low but the Risks are Severe
According to Radware’s 2019-2020 Global Application and Network Security Report, 33% of organizations reported being attacked by DDoS in the prior year.
While this is certainly a threatening figure, looked at the other way around, it means that two-thirds of organizations did not experience a DDoS attack in the last 12 months.
Stretch the statistic back, and it means that in the past two years, about 45% of organizations did not experience an attack, 30% did not experience an attack in the past three years, and 20% have not see an attack in the past four years. And stretch it back even further – it means that about one in eight organizations has not been attacked in the past five years.
This has led many organizations – quite sensibly – to wonder why they still need to go through the hassle and expense of deploying dedicated DDoS protections.
The problem, however, is that like car accidents, DDoS attacks may occur infrequently, but once they happen – the damages are severe.
Revenue Depends on Availability
Ultimately, most organizations’ revenue depends on customers being able to reach their services.
According to a study by Gartner, the average cost of IT network downtime is $5,600 per minute, or almost $300,000 on average. Although these figures may vary by the size of the organization, number of affected assets and the severity of the outage, it demonstrates the very real damages that can occur as a result of outages.
As customers increasingly consume services online, this means that an organization’s website and network are mission-critical assets, and any downtime will lead to significant losses.
Damages as a result of a DDoS attack can be direct or indirect:
- Direct loss of revenue – if your website or application is generating revenue directly on a regular basis, then any loss of availability will cause direct, immediate losses in revenue. For example, if your website generates $1m a day, then every hour of downtime, on average, will cause over $40,000 in damages.
- Loss in productivity – for organizations that rely on online services, such as email, scheduling, storage, CRM or databases, any loss of availability to any of these services will directly result in loss of productivity and lost workdays.
- SLA obligations – for applications and services that are bound by service commitments, any downtime can lead to breach of SLA, resulting in refunding customers for lost services, granting service credits, and even potentially facing lawsuits.
- Damage to brand – in a world that is becoming ever-more connected, being available is increasingly tied to a company’s brand and identity. Any loss of availability as a result of a cyber-attack, therefore, can directly impact a company’s brand and reputation. In fact, Radware’s 2018 Application Security Report showed that 43% of companies had experienced reputation loss as a result of a cyber-attack.
- Loss of customers – one of the biggest potential damages of a successful DDoS attack is loss of customers. This can be either direct loss (i.e., of customer who choose to abandon you as a result of a cyber-attack) or indirect (i.e., of potential customers who are unable to reach you and lost business opportunities). Either way, this is a key source of damage.
Would You Take the Airbags Out of Your Car?
Like many hazards in life, protection against DDoS involves balancing risk vs. probability. Most of us have never been involved in a serious car accident, or have our house burn down. Yet we still install airbags in our cars and purchase insurance for our homes.
This is because while such events occur infrequently, the damages from them are so catastrophic and far-reaching that we are willing to bear the ‘peacetime’ costs of purchasing them, so that we have them available in times of need.
The same logic applies to DDoS protection. While some organizations face constant attack, others are targeted infrequently. This does not mean, however, that the threat does not exist. And when such an attack occurs, the risks and costs of being unprotected – or having inadequate protections in place – far outweigh the costs of maintaining DDoS protection even at times we might think we don’t need it.
Going back to the example we started with, even though most adults have never been involved in a serious car accident, studies have shown that car safety is the #1 consideration in purchasing a new car. This is because in the unlikely event of a serious crash, the driver’s life will depend on it.
Likewise, service availability is the lifeline on which many organizations depend to serve customers and generate revenue.
What’s your #1 consideration in making a security purchasing decision?