The security industry has long debated the potential impact of a large-scale cyberattack. From actual security analysts who have been accountable for implementing and managing security solutions to security “pundits” who love to speculate about things in the security world that they’ve never actually done, everyone has an opinion. At one extreme, the more doom-saying elements posit that we’re at imminent risk of dire threats, including shutting down down critical energy and transportation infrastructure, to siphoning billions out of major financial institutions and causing global financial shock. On the other end of the spectrum are those who claim that these prophecies are overblown and that, while the cyber attackers have the capacity to cause chaos and embarrassment for both commercial organizations and government agencies, there is little evidence to support claims of more extensive collateral damage.
Recent research by Internet analytics firm Neustar, reported on the website Mashable, seems to show that the truth – as is so often the case – probably lies somewhere in the middle. One thing that is clear from the report is that attacks certainly do have the ability to cause serious financial pain. Of more than 300 retailers Neustar surveyed who reported experiencing an attack that caused an outage, the business cost of the attack was estimated at between $10,000 and $100,000 per hour. Yes, you read that correctly – per hour.
Whichever end of the scale your organization is on, there's a serious “ouch” factor associated with an attack. Could your business survive lost revenues of $240,000 a day, or $1.6m a week, let alone $2.4m a day or $16m a week? If you combine these numbers with the fact that 35% experienced attacks – such as DDoS attacks – that brought down critical sites such as e-commerce for over a day, and 11% experienced sustained attacks for over a week, the end result is a tremendous amount of lost revenue.
While the Mashable piece focuses on DDoS attacks, it also tangentially highlights the need for organizations to reduce the time taken to identify a breach and take action to limit the damage caused to both your IT environment and your bottom line. Imagine if an attack stopped a financial services company from carrying out trades, took a private or public cloud offline so that customers’ sites went down, or stopped a Federal agency from processing benefits checks for just one day. The cost to a business and its customers would run into hundreds of thousands, if not millions of dollars alone. It’s not exactly the Pearl Harbor scenario, but the potential financial losses a prolonged attack could cause – not to mention the impact on the quality of the lives of citizens – are huge.
Regardless of the exact cost per hour or the probability of an attack, it’s clear that the sooner an attack is identified, its vector and target understood, and action taken to deal with it, the happier the C-Suite will be. If you want to demonstrate return on investment on information security operations, nothing works better than dollars and cents.