In a recently released report companies estimated the average cost of a successful DDoS attack – one that actually disrupts a target's business – is $40,000 per hour.
$40,000 per hour. It's a nice composite number that is easy to present to management when you need to justify a budget for preparing for the potential of a DDoS attack. Of course, your company's real cost is going to vary according to a wide range of factors. If you want to put together your own cost estimate of a DDoS attack, consider what you might end up paying for, and this goes way beyond just the IT expenses:
- Lost revenue – Consider how much money your company will lose if your critical applications or web services are not available. This will vary by the time of day, time of year and/or the business cycle you are in. A company with consumer web sales is likely to lose a lot more money in December than it would in, say, February. And a gaming company stands to lose more money when it is hosting an online tournament as opposed to normal business days.
- Staff time – Your technical team will have to spring into action to try to fend off this attack. Meanwhile they won't have time to do their regular jobs. You might even need to pay these folks overtime if they have to work long hours to try to restore service.
- Emergency IT services – If the magnitude of the attack is beyond the capabilities of your technical staff, you might need to call in technical experts to get you through this.
- Communications and customer service – You customers might wonder why they can't reach your online services. They might start calling or emailing your service desk. If your outage affects a large customer base, you might need to deploy extra staffers to communicate what's going on and respond to a higher number of support calls than usual.
- Ransom – It's not unusual for DDoS attackers to hold a company's services for ransom. Some companies choose to pay up just to end the attack.
- Data breach – DDoS attacks are often used as smokescreens to divert attention from a breach that results in data loss. If you have sensitive or regulated data or intellectual property stolen, your costs will enter a whole different realm.
- Remediation – You might end up cleaning up after malware or a virus planted in your environment at the time of the DDoS attack.
- Loss of customer confidence and trust – Customers might take their business elsewhere – perhaps permanently – if they lose confidence in your ability to provide continuous services. This is an especially big concern for service providers that host multiple customers on their cloud systems.
- Lawsuits – Yes, your customers could sue you if their business if adversely affected by your outage stemming from an attack, depending on what's in your SLAs.
- Recovery operations – Once the attack is over, you might end up replacing hardware or software that failed you in this attack.
Many of these factors weren't included in Incapsula's estimate of $40,000 an hour, but nonetheless, they are real costs that your company could potentially incur in the event of a sustained DDoS attack.
Looking at this list, it seems that prevention is a whole lot more cost effective than suffering through an attack.