The Cost of Denial-of-Services Attacks

Similar documents
Reducing Cybersecurity Costs & Risk through Automation Technologies

Uncovering the Risk of SAP Cyber Breaches

2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)

National Survey on Data Center Outages

Big Data Cybersecurity Analytics Research Report Sponsored by Cloudera

Big Data Analytics in Cyber Defense

Sponsored by Raytheon. Don t Wait: The Evolution of Proactive Threat Hunting Executive Summary

The State of Cybersecurity in Healthcare Organizations in 2016

Future State of IT Security A Survey of IT Security Executives

The Third Annual Study on the Cyber Resilient Organization

2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)

Data Protection Risks & Regulations in the Global Economy

The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats

Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way

2013 Cost of Cyber Crime Study: Global Report

2012 Cost of Cyber Crime Study: United States

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

2014 Global Report on the Cost of Cyber Crime

Combating Cyber Risk in the Supply Chain

Flying Blind in the Cloud

Cybersecurity Survey Results

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

The Evolving Role of CISOs

2017 Cost of Data Breach Study

CYBERSECURITY PREPAREDNESS AND RESPONSE

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

COST OF CYBER CRIME STUDY

Ponemon Institute s 2018 Cost of a Data Breach Study

Business continuity management and cyber resiliency

2012 Consumer Study on Data Breach Notification. Sponsored by Experian Data Breach Resolution

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Cyber-Threats and Countermeasures in Financial Sector

Business Resiliency Strategies for the Cloud. Summary Results September 2017

Securing Information Systems

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT:

New Zealand National Cyber Security Centre Incident Summary

Cyber Security in Timothy Brown Dell Fellow and CTO Dell Security

2015 VORMETRIC INSIDER THREAT REPORT

2017 PKI GLOBAL TRENDS STUDY

Cyber Security. June 2015

A Global Look at IT Audit Best Practices

Tripwire State of Container Security Report

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

NYDFS Cybersecurity Regulations

Arbor White Paper Keeping the Lights On

Chapter 12. Information Security Management

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

Defending Our Digital Density.

Must Have Items for Your Cybersecurity or IT Budget in 2018

Spotlight Report. Information Security. Presented by. Group Partner

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Todd Sander Vice President, Research e.republic Inc.

Information Security Data Classification Procedure

The State of Cloud Monitoring

Building a Threat Intelligence Program

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity and Nonprofit

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

CYBERSECURITY RESILIENCE

mhealth SECURITY: STATS AND SOLUTIONS

HEALTH CARE AND CYBER SECURITY:

Cyber Risks in the Boardroom Conference

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Vertiv Data Center IQ Survey

Session ID: CISO-W22 Session Classification: General Interest

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Cybersecurity Overview

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

PT Unified Application Security Enforcement. ptsecurity.com

Security and Privacy Governance Program Guidelines

External Supplier Control Obligations. Cyber Security

From Russia With Love

Information Security Controls Policy

Information Security By Rick Blum, Senior Manager, Strategic Marketing

Cyber Security Program

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Cybersecurity 2016 Survey Summary Report of Survey Results

Information Security Policy

Bringing Cybersecurity to the Boardroom Bret Arsenault

Managed Endpoint Defense

The Interactive Guide to Protecting Your Election Website

The Role of the Data Protection Officer

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Clarity on Cyber Security. Media conference 29 May 2018

Protecting your next investment: The importance of cybersecurity due diligence

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Are you safe? Your business growth strategies are at the heart of the cyber risks your organization faces

The 2017 State of Endpoint Security Risk

Transcription:

The Cost of Denial-of-Services Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

The Cost of Denial-of-Service Attacks Ponemon Institute, March 2015 Part 1. Introduction We are pleased to present the findings of The Cost of Denial-of-Service Attacks sponsored by Akamai Technologies. The purpose of this research is to understand the cost and consequences of these security threats. Ponemon Institute surveyed 641 individuals involved in preventing, detecting and/or containing denial-of-service attacks against their organizations. Most participants in this research work in IT operations, IT security, IT compliance or data center administration. A denial-of-service (DoS) attack occurs when the criminal prevents legitimate users from accessing information or services. By targeting a company s computers and its network connection an attacker can cause costly disruptions to operations and damage to its reputation and trustworthiness. The following is a summary of the cost and consequences of DoS attacks:! DoS attacks are costly. Companies in this study reported an average of $1.5 million in costs related to DoS over the past 12 months. On average, these companies had four DoS attacks in the past 12 months. The average costs for each DoS attack is summarized in Figure 1. As shown, the most expensive cost component concerns customer facing revenue losses because of IT availability gaps or downtime.! Data center downtime due to a denial-of-service attack happens frequently. Eighty-two percent of respondents say the denial-of-service attack shut down the entire data center (34 percent) or part of the data center (48 percent). On average, during the past 12 months respondents say their systems were shut down 9 hours.! The number one consequence of a DoS attack is reputation damage. Sixty-four percent of respondents say reputation damage is the main consequence of a denial-of-service attack. This is followed by diminished productivity for IT staff (35 percent) and revenue losses (33 percent).! Denial-of-service attacks will increase. Forty-four percent of respondents say denial-ofservice attacks increased over the past year and 49 percent say they will increase over the next 12 months. The most critical barriers to preventing these threats are insufficient budget resources, lack of qualified security personnel (46 percent) and lack of C-level support.! Denial-of-service is in the top three of security threats facing companies. When asked to indicate which security threats worry them most, 56 percent say it is zero-day attacks, malware (45 percent of respondents) and denial-of-service (38 percent). Ponemon Institute Research Report Page 1

Part 2. Key findings In this section we present an analysis of the key findings. The following is a summary of key takeaways. What is the state of denial-of-service attacks in organizations? On average, organizations experienced approximately 4 denial-of-service attacks in the past 12 months. The majority of respondents do not have confidence in their organizations ability to deal with a DoS attack. As Figure 2 reveals, only 43 percent rate their organizations highly effective in quickly containing denial-of-service attacks and only 14 percent of respondents rate their ability to prevent denial-ofservice attacks as highly effective. Forty-three percent believe they are effective in responding to denial-of-service attacks. Figure 2. Can organizations deal with a DoS Attack? Percentage of respondents who rate their organization as high ( 7+ on a scale of 1 = low to 10 = high) Ability to quickly contain denial of service attacks 43% Preparedness to respond to denial of service attacks 42% Ability to prevent denial of service attacks 14% 0% 10% 20% 30% 40% 50% Ponemon Institute Research Report Page 2

Data center downtime due to a denial-of-service attack happens frequently. According to Figure 3, 82 percent of respondents say the denial-of-service attack shut down the entire data center (34 percent) or part of the data center (48 percent). On average, during the past 12 months respondents say their systems were shut down 9 hours. Figure 3. Did the DoS attack result in downtime of the data center 60% 50% 48% 40% 34% 30% 20% 18% 10% 0% Yes, the entire data center was shutdown Yes, only part of the data center was shutdown No The number one consequence of a DoS attack is reputation damage. As shown in Figure 4, reputation damage, according to 64 percent of respondents is the main consequence of a denialof-service attack. This is followed by diminished productivity for IT staff (35 percent) and revenue losses (33 percent). Figure 4. Consequences of a DoS attack Two responses permitted Reputation damage 64% Diminished productivity for IT staff Revenue losses 35% 33% Diminished productivity for end users 24% Damage to property, plant and equipment Regulatory or compliance violations 17% 16% Theft of information assets Other 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 3

Denial-of-service attacks will increase. According to Figure 5, the DoS threat will continue to plague companies. Forty-four percent of respondents say denial-of-service attacks increased over the past year and 49 percent say they will increase over the next 12 months. Figure 5. DoS attacks predicted to increase 60% 50% 49% 40% 36% 30% 20% 10% 10% 5% 0% Will most likely increase No change predicted Will most likely decrease Can t determine A barrier to stopping DoS attacks is the lack of resources. The most critical barriers to preventing these threats are insufficient budget resources, lack of qualified security personnel (46 percent) and lack of C-level support, as shown in Figure 6. Figure 6. Barriers to preventing DoS attacks Two responses permitted Insufficient budget resources Lack of qualified security personnel 46% 49% Lack of C-level support Inadequate or Insufficient technologies 32% 30% Insufficient personnel and in-house expertise 25% Lack of security leadership 15% Focus on other security priorities 3% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 4

Denial-of-service is in the top three of security threats facing companies. When asked to indicate which security threats worry them most, 56 percent say it is zero-day attacks, malware and denial-of-service, as shown in Figure 7. Figure 7. Security threats that worry IT Three responses permitted Zero-day attacks 56% Malware 45% Denial-of-service Malicious insider 35% 38% Web-based attacks Cross-site scripting Phishing scams 26% 28% 30% SQL injection 21% Clickjacking 11% Stolen or hijacked computers 8% Other 2% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 5

The solutions used most often to prevent, detect and contain denial-of-service attacks are: DDoS scrubbing solutions, ISP-based solutions, endpoint security solutions and traffic/network intelligence. Figure 8. Most effective technologies to deal with DoS attacks 1 = low to 10 = high DDoS scrubbing solution ISP-based solution 7.95 7.84 Endpoint security solutions Traffic/network intelligence 6.74 6.55 Firewalls Intrusion detection and prevention Next generation firewalls Security incident and event management 5.67 5.55 5.19 4.86 VPN and secure gateways 4.01 Anti-malware Content delivery networks Encryption and other crypto technologies 2.50 3.30 3.11 1 2 3 4 5 6 7 8 9 10 Ponemon Institute Research Report Page 6

How costly are denial-of-service attacks? The average total cost per year to deal with DoS is approximately $1.5 million. As shown in Table 1, this includes technical support ($347,685), lost productivity ($173,169), disruption to normal operations ($325,180), damage or theft of IT assets and infrastructure ($158,320) and revenue losses due to customer-facing services not being available ($491,152). Table 1. The financial consequences of a DoS attack Extrapolated value Revenue losses occurring because customer-facing services were not available $491,152 Technical support $347,685 Disruption to normal operations $325,180 Lost user productivity $173,169 Damage or theft of IT assets and infrastructure $158,320 Total $1,495,506 According to Pie Chart 1, the largest percentage of cost is the loss of revenue because customerfacing services were not available. Damage or theft of IT assets and infrastructure is the smallest. Pie Chart 1. Breakdown of the financial consequences of a DoS attack 11% 12% 33% Revenue losses Technical support Disruption to normal operations 22% Lost user productivity 23% Damage or theft of IT assets and infrastructure Ponemon Institute Research Report Page 7

Part 3. Methods The sampling frame is composed of 16,880 IT and IT security practitioners located in the United States and who are involved in preventing, detecting and/or containing denial-of-service attacks against their organizations. As shown in Table 1, 697 respondents completed the survey. Screening removed 56 surveys. The final sample was 641 surveys (or a 3.8 percent response rate). Table 1. Sample response Freq Pct% Total sampling frame 16,880 100.0% Total returns 697 4.1% Rejected or screened surveys 56 0.3% Final sample 641 3.8% Pie Chart 2 reports the current position or organizational level of the respondents. More than half of respondents (58 percent) reported their current position as supervisory or above. Pie Chart 2. Current position or organizational level 6% 2% 2% 1% 16% Senior Executive Vice President Director 34% 21% Manager Supervisor Technician Staff Contractor 18% Pie Chart 3 identifies the primary person the respondent reports to. Fifty-nine percent of respondents identified the chief information officer as the person they report to. Another 21 percent indicated they report directly to the CISO. Pie Chart 3. Direct reporting channel 4% 2% 2% 1% 5% 6% 59% 21% Chief Information Officer Chief Information Security Officer Chief Risk Officer Compliance Officer Chief Security Officer Chief Financial Officer General Counsel CEO/Executive Committee Ponemon Institute Research Report Page 8

Pie Chart 4 reports the primary industry classification of respondents organizations. This chart identifies financial services (19 percent) as the largest segment, followed by public sector (11 percent), health and pharmaceuticals (10 percent) and retail (10 percent). Pie Chart 4. Primary industry focus 4% 3% 2% 3% 19% 4% 5% 6% 11% 7% 10% 7% 9% 10% Financial services Public sector Health & pharmaceuticals Retail Services Industrial Technology & software Hospitality Energy & utilities Consumer products Transportation Education & research Communications Other According to Pie Chart 5, more than half of the respondents (53 percent) are from organizations with a global headcount of more than 1,000 employees. Pie Chart 5. Worldwide headcount of the organization Extrapolated value = 13,402 9% 7% 23% Less than 500 500 to 1,000 16% 1,001 to 5,000 21% 24% 5,001 to 25,000 25,001 to 75,000 More than 75,000 Ponemon Institute Research Report Page 9

Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners in various organizations in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback