The Costs and Consequences of a DDoS Attack

My first post in this series covered the basics of distributed denial of service (DDoS) attacks: how they work, the different types of attacks and the areas of your IT infrastructure that can be targeted.

Yet even when companies know what DDoS attacks are all about, they might not realize the serious impact they can have on their business. DDoS attacks may not have the same consequences as the theft of millions of credit card numbers – but they can still be devastating for companies of any size.

An immediate impact on your bottom line

The goal of DDoS attacks is to affect the customer experience of an organization’s end users. Either your website is taken completely offline so that no legitimate traffic can get through, or your server becomes so slow and unresponsive that even if your customers can access your site, they can’t do anything on it.

If you’re running eCommerce applications and your website grinds to a halt, customers interested in purchasing your products may turn elsewhere. In short, your ability to sell is immediately compromised.

Even if you don’t sell products online, your website might still be a critical source of information or services. When your network or servers are under attack, existing customers can no longer access the support they need. This can lead to a flood of calls or emails, bogging down lines of communication that might otherwise be utilized in more productive ways.

The high cost of remediation

Stopping a DDoS attack also comes with a potentially high price tag. How many people will need to divert their attention from your core IT activities to fight the attack? How long will it take to reboot your applications or servers – and then test them to ensure they’re working correctly? What if data is lost? If your server crashes while a transaction is being completed, for example, the entire disk could become corrupted due to a read/write error – potentially requiring you to re-create all transactions made since your last backup.

Depending on the timing and nature of the attack, getting your website or server back up and running could take hours or even days. In a Forrester Research survey of Canadian decision-makers directly involved with customer-facing systems, 35% said it would cost between $10,000 and $100,000 to resolve a DDoS attack – and 25% said it would cost anywhere from $100,000 to $1 million. And in a global study conducted this year, DDoS attacks were found to be one of the most expensive types of attacks companies faced (second only to cyber crimes caused by malicious insiders) – with the Ponemon Institute finding it cost an average of $126,545 per incident.

A direct blow to your reputation

None of the numbers above include the costs associated with loss of reputation, customer retention or customer acquisition. If your website is your product or if the performance of your product depends on the availability of your server, your customers could be denied services they’ve already paid for. This can provoke anger and frustration, potentially affecting your brand image. Customers who have a bad experience might also share that experience with others, especially over social media. This means that even after the DDoS attack is resolved, the impact on your reputation can affect your sales weeks or even months down the line.

Going back to that Forrester Research survey, here’s how businesses generally ranked the indirect impacts of losing their website for an hour or more:

It’s not just the big companies that get hit

According to Radware’s 2014–2015 Global Application and Network Security Report, no industry is immune to the possibility of a DDoS attack. Certain organizations are more likely to be attacked, such as government departments, online gaming and gambling companies, and Internet service providers. But many others still face substantial risk, including those in the financial, retail, education, healthcare, energy/utility and legal sectors.

Even though we usually only hear about DDoS attacks when governments, banks or multinational corporations get hit, the reality is companies of all sizes are affected. In the financial sector, for example, smaller credit unions and brokerage houses have been targeted by DDoS attacks. Yet many small- and medium-sized companies may think they’re not big enough to be a target. As a result, they choose not to invest in any kind of DDoS protection – and that plays right into the hands of potential attackers.

The bottom line

A massive, multinational company may have the IT resources and cash reserves to quickly bounce back from a DDoS attack. But for small- and medium-sized businesses, a single prolonged outage can potentially result in an irreversible loss of sales and consumer confidence.

The good news is that you don’t need to be a global organization with a giant IT team to protect your business. In my next post, I’ll take a look at some of the options you have for defending against DDoS attacks – as well the blind spots in your current IT security strategy that might put you at risk.

By Corey Still, Network and Cyber Security Professional at Bell