According to the study, "The Costs of Network Security Attacks: North America 2007," large organizations are losing an average of 2.2% of their annual revenue because of security attacks. That may sound relatively small, but when coupled with the extra few percentage points of revenue companies lose to non-security related downtime, the loss is much higher.
Large companies take the biggest hit from security-related downtime, but results show that small and midsized businesses (SMBs) stand to lose about half a percent of their annual revenue to security-related downtime, which can translate to hundreds of thousands of dollars annually.
According to Jeff Wilson, Infonetics' principal analyst, SMBs oftentimes lack the tools and processes to accurately track their downtime. If those tools were in place, Wilson suggests, the total loss of revenue would most likely be significantly higher than the Infonetics study indicates, though it would still fall short of the losses large organizations suffer.
"The point is, they are only reporting to us what they know about," Wilson said. "There are targeted security solutions available for organizations of every size, and I think once they see just how much money they're losing due to security attack downtime, they'll be more interested in making special investments to put a
The amount of money lost includes both revenue lost because of slow or non-working systems and also lost productivity when systems are functioning properly.
Wilson said that more than half of the security-related downtime cost for all organizations is due to service degradation, not outright outages, and much of that is considered "hidden downtime," since service degradation often goes unreported.
"In both network and security downtime, a lot is lost to degradation or poor performance," he said. "That's one of those hidden costs."
But those losses can be controlled if users are encouraged to report poor performance, or tools are deployed to monitor the network.
"Many organizations have a hard time closely tracking downtime caused by service degradation because they don't have the proper network management tools to observe and quantify service degradations," the study concludes.
"Companies need to look at: What are third-party pressures? What is your risk of loss? And what are your downtime pictures?" Wilson suggested, adding that companies need to "keep track of what they lose and make incremental security investments based on that."
Midsized organizations are most vexed by client malware, while large organizations are hit more by DOS attacks and server malware. Small organizations, on the other hand, suffer fairly evenly from all three attack sources: client malware, DOS attacks and server malware.
Spyware has become a major problem for SMBs, Wilson said. At midsized organizations, a massive 40% of all security-related downtime costs come from spyware alone. That, he said, is caused mostly by lack of acceptable-use policies and lack of tools to protect on the client side.
According to Infonetics, the study was conducted to learn the causes and calculate the cost of security attack downtime, while examining productivity versus revenue losses, outages versus degradations, attack types (such as DOS attacks and client and server malware), and the specific attacks that are most troublesome. The results were tallied from interviews with 240 small, midsized and large companies in North America. Respondents were asked to report the number and duration of outages and service degradations caused by security attacks, annual company revenue and other metrics. Infonetics took that data and used its cost analyzer tools to calculate lost revenue and productivity.
Overall, Wilson said, companies are faring pretty well against security downtime, since the percentage is still relatively low. For large companies, which already have IDS/IPS, firewalls and client security tools in place, the loss incurred may just be the cost of doing business.
"For the most part," he said, "they're doing everything they can right now."