Next time you are working with your CIO to justify your budget for IT security for your organization, instead of calculating the costs of technology or staffing, consider this—how much will an attack cost the company if its network is not adequately protected? Even a single attack can cost your organization dearly – from loss of revenue to damage to reputation. Every business acknowledges that network security is critical. Yet every day a new headline illustrates the many attack vectors employed to gain access to your network and your data.
The question is, how does an enterprise evaluate and justify investing in network security products like next-generation firewalls, secure remote access and unified threat management appliances? Here is some background to consider:
While there is no exact formula or “cost of attacks” calculator, there are useful research studies that can provide techniques for IT managers to develop their own cost model and do so by using three core areas that are important for assessing the impact of network-based attacks:
- Defining the different types of network-based attacks.
- Understanding how those attacks can affect your bottom line.
- Methods of quantifying the impact of those attacks.
There are hundreds of types of network-based attacks that can damage an organization. The most common forms include viruses, trojans, worms and other malware that can shut down servers and workstations, or steal data; advanced persistent threats (APTs) designed to penetrate networks and surreptitiously steal intellectual property; distributed denial-of-service (DDoS) and flooding attacks that can overwhelm servers and shut down web sites.
This is where it hurts—attacks cause two major categories of harm, regardless of the source: data breaches and loss of service.
Data breaches result in confidential information being captured and surreptitiously removed out of the organization into the hands of criminals.
The damage caused by data breaches is very painful. They can be financial (lost revenue, legal and fines), soft costs (loss of customer loyalty, harm to brand reputation), and loss of competitiveness (intellectual property). Companies that have suffered data breaches spend an inordinate time and money in detection and technical remediation costs.
Denial-of-service attacks result in computer systems – workstations as well as web, application or database servers – being disabled. The damages in this scenario can also be catastrophic. Commerce slows to a crawl so revenue is directly impacted. Day-to-day processes are interrupted or employees cannot do their jobs. As with data breaches, there's a real cost associated with IT and support staff having to diagnose problems, restart services and re-image PCs.
As previously stated, there is no one-size-fits-all cost model. Two independent sources that can help IT quantify the impact of network-based attacks can be found in a study from Ponemon Institute and the NetDiligence® Cyber Liability & Data Breach Insurance Claims Study.
The Ponemon Institute conducted in-depth interviews late in 2011 with 49 U.S. companies that had experienced the loss or theft of customers' personal data. Some of the key findings include:
The per-record figures— which are based on fairly large quantities (100,000+ records)—can give IT managers a sense of the cost associated with data breaches, scaled to the size of the enterprise and the number of threats typically faced.
The NetDiligence study analyzed published a study of 137 events that resulted in insurance companies making payouts on cyber liability claims. Average payouts:
- Legal settlement per event: $2,100,000
- Legal defense per breach $582,000
- Total average insurance payout costs per event: $3.7 million
While these two studies measure different elements of the costs associated with network attacks, they are consistent in they both illustrate just how costly network attacks really are to a company's bottom line and its reputation.
Beyond these numbers, there are some back-of-the-envelope calculations that can help justify the investment needed for next-generation network firewall technologies:
· The revenue loss for every hour your web site is down, or impaired, because of a DDoS attack.
· The productivity loss for every hour a key business process is down because of malware disabling the server.
· The hourly rate for help desk personnel to diagnose malware infections and for the support group to re-image infected PCs.
Two additional techniques may be helpful in estimating the costs of attacks. Some organizations have created detailed estimates of possible future ramifications by conducting “war game” simulations. These involve gathering a cross-section of company staff and running through an attack scenario. These exercises not only help quantify costs, but often turn up other issues such as contractual obligations or the regulatory impact of data breaches.
So what does all this mean for IT managers? Network attacks are costly, disruptive, and should be avoided at all costs. The good news: there is a rich tool set available to help IT understand exactly how data breaches and loss-of-service attacks can affect your company's bottom line. It's not always an easy task to convince others within your organization that the dollars they invest today will protect them tomorrow, especially if you haven't had a breach, but it's vital that you do.
The numbers shared here clearly illustrate the damage that even a single breach can cause in terms of dollars. By comparing these costs with the preventative costs of next-generation protection technologies you are better armed and prepared to understand and articulate the financial and strategic value of increasing investment in securing your company's network. Managing your risk with next-generation firewalls is not just an academic exercise, it is a business imperative.