Guest post written by Jonathan Lewis
5/08/2012 @ 10:02PM
As cyber security moves from a purely technical issue to a major business concern, CIOs are faced with the thorny problem of how to best protect their company without over-spending on security.Â Security is about protecting confidentiality, integrity and network availability. Thus far, security spending has largely been focused on confidentiality and integrity with relatively little spending on protecting network availability. Research shows that itâ€™s time for this approach to change.
Loss of data center availability due to Distributed Denial of Service (DDoS) attacks has emerged as one of the most prevalent and costly forms of cybercrime. Motivations include extortion, revenge and competitive advantage, as well as a recent explosion of politically motivated attacks, also known as â€œhacktivism.â€
The means to carry out sophisticated and effective attacks are within easy reach of anyone with a PC and an Internet connection. Do-it-yourself DDoS attack tools are readily available and easy to use. Botnets for rent and DDoS attack services are available to anyone with as little as $50 and a grudge. A quick search on YouTube for â€œDDoS Serviceâ€ shows how openly these attack services are being sold. As a result, enterprises and service providers are experiencing attacks on their data centers more often and with more severe business consequences than ever before.
The goal of the attacker is to prevent a data center from performing its core function â€“ whether that be transacting e-commerce; delivering e-mail or voice services; providing DNS services; serving up Web content delivery; hosting games; and so on. Because the attacker is trying to create maximum disruption, attacks are most likely to occur at the worst possible time for the victim. For example, online retailers are especially vulnerable during the peak shopping period between Thanksgiving and Christmas and especially on Cyber Monday.
CIOs should take a proactive approach for incorporating the DDoS threat into security and business continuity planning. The steps are straightforward. First, gain an understanding of the cost of service outages. In other words, determine what the hourly cost will be to your business if the data center is down or disabled due to an attack. Second, understand the probability that your business will be attacked and experience service outages. Lastly, take a risk management approach and consider the business impact of extended outages (i.e. 24 hours or more), weighing the expected costs/risks against the cost of investing in DDoS protection to ensure service availability.
The hourly cost of downtime will be unique to your business but generally comprises the following elements:
- Operations: What is the number of IT personnel that will be tied up addressing the attack and what is the hourly cost of that?
- Help Desk: If systems are shut down, how many help desk calls will be received and what is the cost per call?
- Recovery: How much manual work will be required to re-enter transactions?
- Lost Worker Output: What is the level of employee output lost to downtime and the costs associated with that?
- Lost Business: How much business will be lost for every hour the network is down?
- Lost Customers: How many existing customers will defect to the competition? What is the lifetime value of these customers?
- Penalties: How much will it cost in terms of service level agreement (SLA) credits or other penalties?
- Lost Future Business: How much will your ability to attract new customers be affected? What is the full value of that lost business?
- Brand and Reputation Damage: What is the cost to the company in terms of brand value?
Compare your results to industry averages. The Ponemon Institute surveyed 41 business managers from 16 different industry segments on the costs their operations had incurred due to unplanned data center outages. The hourly cost of downtime ranged from $8,500 to $210,000 per 1000 square feet of data center space in operation. Financial services and online commerce showed the highest costs per hour.
Next, consider the risk of attack. If your business has already been a victim of DDoS, the likelihood of subsequent attacks is high â€“ you are already a target. Even if you have not been attacked before there is still substantial risk. Once again, industry averages provide helpful guidance for risk planning. The most recent figures indicate expected annual downtime due to DDoS for an average data center is about 12 hours.
Combining the expected annual downtime with the hourly cost of downtime provides a good guideline as to the annual cost (or â€œannual loss expectancyâ€) your business is likely to incur if you do not deploy effective DDoS protection. However, this does not provide the complete picture. There is the question of managing risk. DDoS attacks can bring down or seriously degrade services for days at a time. While the average expected annual outage time is about 12 hours, there is a smaller but real risk of extended downtime from DDoS. Outages of 24 hours and more are not uncommon. Thus DDoS should figure into business continuity planning much in the same way as fire and natural disaster do. In short, while the annual loss expectancy due to DDoS is an important economic consideration, it may be even more important to protect the business from catastrophic loss if it can be done at a cost that is both manageable and predictable.
DDoS attacks are trending upward in frequency, size, duration and effectiveness. The good news is that there are solutions available that can prevent these attacks from bringing down data center services. CIOs who understand the economic value of data center services to their business, and who are aware of costs associated with DDoS threat, are well positioned to make the right business decisions with regard to investments in network availability protection.