Imagine you owned a brick and mortar store. You’ve built this business over time and it’s more than your livelihood, it’s your passion. Now, what if you learned that there is a 45 percent likelihood your store will be broken into?

Once you recovered from the shock that there is nearly a 1 in 2 chance that your store will be robbed, you’d likely upgrade your security system. It’s only logical.

There is a 45% chance you will be targeted by a DDos Attack

So why is it that businesses and entrepreneurs learn that there is a 45 percent chance that their organisation’s website will be targeted by a DDoS attack, they still rely on no more than existing firewalls or other basic forms of internet security to protect them? Maybe because most of them don’t realise what a Distributed Denial of Service (DDoS) attack on your website truly costs.

The initial financial hit

A DDoS attack basically overloads a website and its servers with external communications requests – so many so that the server can’t respond to legitimate traffic and is rendered essential unavailable.

But website downtime may not be the worst impact on a business. The average cost of a DDOS attack is $40,000 per hour, according to a recent survey conducted by Incapsula of IT professionals from nearly 300 North American businesses.

No, that’s not a misprint. It actually is $40,000 per hour, but that’s only the beginning of this nightmare. Nearly half of all DDoS attacks last between 6 to 24 hours.

[easy-tweet tweet=”A #DDoS attack could cost your business $40,000 per hour, are you protected?” user=”comparethecloud”]

Based on these numbers, the average cost of a DDoS attack is somewhere around $500,000 for each incident and in some cases, the actual cost is significantly higher. For instance, 4 percent of the IT professionals interviewed in the survey have experienced at least one DDoS event that lasted more than a week, and recently one lasted 38 days. What’s the cost of recovering the data? It’s hard to know where to start.

38-day-long-ddos-attack
DDoS traffic generated by DNS and SYN floods over the course of the attack.

The longer-term costs

In addition to costs incurred fighting off a DDoS incident, these attacks have been found to cause at least one of the following: software or hardware replacement, the installation of malware or a virus, a reduction in revenue, loss of customer trust, financial theft, and loss of intellectual property. These losses are detailed in the following infographic:

ddos-impact-survey-infographic-hires

Not only are these consequences costly, but it can take an organisation weeks or even months to recover from them. In some instances concerning the installation of malware or viruses and loss of intellectual property, the damage may never be fully undone.

This is also true for loss of consumer trust. According to the survey, 43 percent of all IT professionals mentioned it as one of the outcomes of a DDoS attack, making it the third most common outcome.

[easy-tweet tweet=”43% of #IT professionals cite loss of consumer trust as an outcome of #DDoS attacks” user=”comparethecloud”]

These numbers likely would be even higher if the survey had polled support, sales and marketing teams. In most DDoS attacks, Sales and Customer Service are two of the business areas to take a big financial hit from DDoS attacks, accounting for more than a third of all financial losses as the DDoS tide recedes.

Targets of all sizes

There have been plenty of high-profile attacks on major corporations in the news, including repeated attacks on Sony PSN and XBOX live. Last Christmas Sony had several different networks taken down by DDoS attacks and has had its Sony Pictures division hacked so severely that unreleased movies were put online and its corporate computer network was rendered unusable. As for the XBOX Live DDoS attack, the Lizard squad hacking group (the same group responsible for the repeated DDoS attacks on Sony PSN) says they are preparing some additional surprises, and are threatening to shut down the XBOX Live network forever.

Certainly, the bigger the organisation, the larger a target it presents for DDoS attacks. There are plenty of websites and businesses that would never have to worry about losing $40,000 per hour as a result of a DDoS attack, simply because they don’t deal with that kind of money.

Does this mean smaller websites and businesses aren’t targets? Unfortunately, the answer is no. Any website with customers, intellectual property, personal data, and financial information is at risk. On a weekly basis small CMS-powered websites are hit by DDoS attacks, some of which are enabled by vulnerabilities in these platforms.

DDoS perpetrators don’t have moral codes, professional ethics or sound business plans.

DDoS perpetrators don’t have moral codes, professional ethics or sound business plans. Media only covers the most interesting and most prominent DDoS events.

Many of the attacks we are dealing with have nothing to do with hacktivism, corporate espionage and geo-politics. Often a DDoS attack is simply a random act of vandalism by someone who decided to have some fun and take down a website, just for “RTs and LoLs”.   

Investing in protection

For many businesses, the unsettling reality is that it’s not a matter of if they’ll be hit with a DDoS attack, but when. As the saying goes, it’s better to be prepared.

[easy-tweet tweet=”36% of all IT professionals are not confident in their current #DDoS protection” user=”comparethecloud”]

The survey found that 36 percent of all IT professionals are not confident in their current DDoS protection, even though 46 percent were using purpose-built solutions.

They have good reason. It’s been demonstrated time and again that counting on a firewall or ISP for protection in the event of a DDoS attack is misguidedly optimistic. Firewalls are easily overwhelmed and ISPs don’t have the resources to monitor all traffic to all websites they serve, not to mention the ability to respond to DDoS events in a timely manner.

In fact, even if they detect the attack, their best option is to drop all incoming traffic, as they are not usually equipped to offer any filtering solutions that will allow you to stay online while “under fire.”

Professional mitigation services may seem like a major investment. But the price is paltry compared to the costs of a DDoS attack, especially on a mid-sized to large organisation.