In the first part of this blog series, we discussed the direct costs of DDoS attacks. In this second part, we will discuss the indirect and long-term damages from DDoS attacks and the solutions we propose.
Indirect & Long-term Costs
Costs of Your Data
The first and most profound implication of DDoS attacks is data loss. Data loss is an indirect outcome of DDoS attacks, as DDoS attacks are sometimes a smokescreen for other types of cyber-attacks.
The Neustar and Harris Interactive Report states that 92% of those companies that had suffered only one DDoS attack experienced theft of intellectual property, customer data, and financial assets and resources. On average, Ponemon Institute estimates every lost or stolen record costs businesses $225.
The complete set of credit card data (name, card number, social security number, and even the security code) will cost anywhere between $30 to $60 per card. The information on the magnetic strip (“CC dumps”) can cost between $200 to $400. Stolen devices like smartphones or laptops can even open a bidding war on the black market.
It is vital to clearly assess all existing data regarding its value for the business and its potential value for thieves and then quantify the implications of lost or compromised data.
Costs of a Break in Business Continuity
Despite several intermittent attacks over several days, DDoS attacks are often mitigated within a few hours. DDoS attacks that affect user experience can sometimes kill small businesses, and the sad news is that nearly 60% of small businesses do not recover.
As a first step, it is important to look at the picture holistically and make a checklist of all the potential impacts of a DDoS attack on business continuity:
- Lost opportunities
- Loss of productivity due to time spent on an investigation
- The additional operational workload from repair and response
Qualifying the factors involved in business continuity and converting the time-to-recover into person-hours will help to quantify this cost.
Regulatory Impact
Post-attack, there are costs involved with regulatory defenses, penalties, and fines. These costs would result from non-compliance, security breaches, and lawsuits. Government laws are obvious on security. Therefore, businesses and all the losses related to the actual attack impact will have to face governmental repercussions. For example, the requirement under PSD2 is to offer an open communication interface to TPPs. However, this increases the security risks to financial institutions. PSD2 requires banks to implement advanced security controls for the open interfaces to mitigate the risk. Calculating this cost will require ensuring a robust mitigation solution and ensuring that there is a clear understanding of costs associated with legal and regulatory issues in case of DDoS attacks.
Loss of Customer Value
Customer relationships are based on trust, i.e., that their information will be safe and that the organization will display only the highest level of integrity. Loss of confidence can hurt a business badly, with customers opting out. Depending on the company, lawsuits ensue, and settlements can even cost millions of dollars. Some businesses may need to compensate customers for losses. Finally, there is the question of rebuilding confidence and trust, which can take a long time, if ever.
Calculating this cost will require a thorough understanding of customer implications, i.e., compensation, the time to rebuild, and adding a percentage to lost business. This would help to arrive at a quantifiable cost number.
How to Avoid the Costs?
Some may believe that cyber insurance is the solution. It is a fact that cyber insurance as a business is growing fatter. It is expected to grow to $14 billion in 2022 from $3 billion in 2016. But insurance comes into play after an attack which is not the ideal solution. Of course, having a robust insurance policy in place is good, but DDoS mitigation is mandatory. However, in our experience, the VPN Gateways of 85% of companies are not protected adequately by their DDoS mitigation policies. If these gateways came under a DDoS attack, employees’ ability to connect to work could be significantly impacted.
To summarize, even with the most sophisticated DDoS mitigation and testing solutions deployed, most companies are left with a staggering 48% DDoS vulnerability level. The vulnerability gap stems from DDoS mitigation solutions & periodic Red Team DDoS testing being reactive instead of continuously evaluating and closing vulnerabilities.
Mitigation solutions do not constantly re-configure and fine-tune their DDoS mitigation policies. Leaving their ongoing visibility limited and forcing them to troubleshoot issues at the worst possible time, that is, when a successful DDoS attack brings down systems. These solutions are all reactive, reacting to an attack and not closing DDoS vulnerabilities before an attack happens.
The Solution – RADAR™
RADAR™, MazeBolt’s revolutionary patented solution, simulates DDoS attacks continuously and non-disruptively. Delivering advanced intelligence through prioritized reports on how to remediate the DDoS vulnerabilities found. Closing the DDoS gap by assisting your DDoS protection vendor to fix ongoing security gaps before they are exploited. Using RADAR™, you never have to rely on risky zero-day reactive mitigation capabilities. RADAR™ assists organizations in achieving, maintaining, and verifying the continuous closing of their DDoS vulnerability gaps. Reducing and maintaining the vulnerability level from an average of 48% to under 2% is ongoing.
To learn more about the hidden costs of DDoS Attacks, read our whitepaper, `Cost and Implications of a DDoS Attack.’
References