Apparently, there’s no recession in the DDoS business. Information collected from well into 2014, confirms that this year will mark a new water level in DDoS occurrence. Attackers don’t seem to skimp on R&D either – their weapons are honed to effectively compromise a variety of unprotected IT asset types.
New evidence quantifies the damage in monetary terms. The key figure is: On average, a DDoS attack costs $40,000 per hour in damages directly related to the DDoS, as analyzed in this Incapsula research.
The quality of the source data is promising. It is substantial; with 270 businesses providing their responses, independent because it was conducted by a 3’rd party and diverse: companies from all sectors are covered. This hints us that businesses of all kinds are willing to cooperate with security experts in order to alarm the community about their trouble with DDoS, which makes the severity of the problem easy to acknowledge.
An independent marketing researcher issued on-line surveys to representatives of the businesses from the IT department, asking them questions like: how often have they been attacked, what kind and duration were the attacks, how much business was lost due to DDoS, which cost centers (departments) were the owners of the attacked module, how much resource was committed to fend the attack and what solutions did companies have deployed to mitigate that risk.
Cyber criminals sometimes romanticize about the sanctity of their goals, presenting themselves as “watchdogs” or “forces that allow the little guy to fight back”.
The research shows no focus on a specific industry, indicating that among banks and governments, less blameworthy entities such as pension funds, manufacturers, charities, SME’s, food blogs and part-time e-commerce entrepreneurs are subject to malicious deeds of similar proportions.
9 out of 20 businesses have already been under a DDoS attack, 6 out of 20 – more than once.
By size, the businesses were divided into 5 categories, from small – <250 employees to large – >10,000 employees. The “fair share” is 20% (100% / 5 categories) and neither of the categories seem to deviate greatly from it. In other words, the likelihood of becoming the target of a DDoS attack does not depend on size.
Respondents were asked to provide a figure for their business loss per hour of down time. Serious establishments with an on-line exposure have that figure at the ready. The Incapsula report revealed that the average loss is $40k per hour. Using respondent-specific data, the report calculated the average loss per attack at $500,000. The analysis comprised of calculating the attack duration, times the specific loss rate (It’s not a simple multiplication of the average attack duration, times the average loss, as that would not be a weighted average and would be entirely meaningless).
At $40k/h, practically the only business that can financially withstand a DDoS and keep going is a national money factory, and that’s assuming the printing systems are safe.
It is important to assess this risk. Any business facing a new element to the business plan does a SWOT analysis. This must make provisions for DDoS as well.
Exposure on-line, if done correctly, can introduce the business to a vast number of customers (the Opportunity) but also to a small but highly potent malevolent contingent (the Threat).
Therefore, stochastic forecasting can provide a model with which we can compare the expected revenue lost due to DDoS events to the size of the investment in mitigation of this risk. It is not in the scope of this article to cover all e-commerce cases but at $300 per month, the side of the equation concerning defense expenditures is known.
It is the responsibly of each business to assess the risk of being attacked (and resulting losses). As we’ve seen in the study, at roughly half/half distribution between attacked and spared businesses – it’s a coin flip to tell if an unprotected business will be on-line at any given moment.
Additionally, we need to make a reservation about the data from the survey: businesses that responded that they’ve not been attacked are simply stating a current situation, not a guarantee for the future.
Considering the “touring” pattern of DDoS criminals, who try a business after business to find one that’s vulnerable and willing to pay ransom, any business is bound to be probed by criminals sooner or later.
The nature of DDoS attacks is such that they come out of the blue. A large amount of their efficacy stems from the effect a surprise attack has on a normally running system.
Readers with basic knowledge of statistics can do the math. In the DDoS aspect, the equation is:
Hourly Sales x Chance of being attacked = Expected hourly revenue.
Add the fixed costs of running a business (salaries are paid regardless of the store’s uptime) and the one-off expenses of fixing a DDoS-caused breakdown and we can conclude that the potential damage easily dwarfs the price of totally mitigating the damage to your business, your brand and your clients.