Much attention is given to the calculated costs associated with a security breach, where the business may experience both downtime (an outage) as well as external costs as you’ll see below.
We often see significant emphasis placed on the cost of response, external (third-party) assistance, stolen data impact, notifications and victim ID protection, sanctions and fines, remediation, and forensics. But issues such as lost employee productivity, lost reputation, lost customers, and lost revenue production, while always represented in the total costs are nearly always categorized among the highest percentage of loss during the outage.
Every year since 2008, Information Technology Intelligence Consulting (ITIC) shares their independent survey that measures downtime cost and trends. This annual report illustrates that the average cost for a single hour of downtime has risen by nearly 30% over time.
The ITIC survey polled over 800 organizations in April/May 2017. All categories of businesses were represented in the survey respondent pool: 24% were small firms with up to 200 users; 25% came from the small/mid-sized enterprise sector with 201 to 1,000 users and 51% were large enterprises with over 1,000 users.
Below are the metrics for organizations with more than 1,000 employees (51% of businesses surveyed) from the ITIC 2017 Survey:
- 98% of organizations say a single hour of downtime costs over $100,000
- 81% of respondents indicated downtime costs their business over $300,000
- 33% reported that one hour of downtime costs their business between $1 million and $5 million
Nearly all businesses today are dependent on utilities such as e-mail, intranet, corporate business applications, and, of course, the internet. Without these crucial utilities, employees are essentially cut off from the business and communications.
Most enterprises invest wisely to ensure availability and reliability from their critical infrastructure, critical business applications, and their data centers. Sometimes, however, these investments suffer pitfalls due to events such as a cyber-security incident that disrupts or disables these utilities in the form of a short-term or long-term disruption. A denial of service is certainly one form of attack that can cause an outage, but I’m thinking more about an attack designed to destroy data and disable systems for an extended period of time measured in terms of days and weeks, not merely hours.
As a recent example, Notpetya malware infected and crippled the global container ship and supply vessel operator, Maersk, for ten (10) days. Maersks’ IT incredibly reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications in what their chairman called a “heroic effort” over ten (10) days, one in which the executive said may have usually taken up to six months to implement. Maersk advised its shareholders that the outage resulting from the attack would cause losses of up to $300 million due to “serious business interruption.” Reference article
“Imagine a company where a ship with 10 to 20 thousand containers is entering a port every 15 minutes, and for 10 days, you have no IT,” chairman Hagemann commented. “It’s almost impossible to even imagine.”
The costs of such downtime is comprised of direct costs, such as:
- lost revenue, because sales process could not be completed
- lost wages due to employees not able to work
- third-party assistance (response and recovery)
- fines, sanctions, penalties, and litigation (all)
- victim notifications and id-theft protection (remedies)
- marketing costs, recovering consumer confidence
- penalties for non-performance against service level agreements
and, indirect costs, such as:
- lost business opportunities
- losing employees and damaged employee morale
- additional security incidents due to employees bypassing IT (shadow IT)
- decreases in stock and market capitalization value
- loss of customer and business partner confidence and trust
- brand damage – business going to competitors, along with hostile publicity
The damage caused by each hour of an outage can vary depending on the nature and size of the business, as well as its reliance on critical IT to produce revenue. The processes for evaluating and quantifying the total cost of downtime goes well beyond IT. Rather, this evaluation must consider every operational area of the business.