A report seeking to measure the impact of distributed denial-of-service (DDoS) attacks on affected organizations reveals that the average cost per hour of such an assault is $40,000 / €32,180, with half of the surveyed companies recording losses of $500,000 / €402,000 during an incident.

The study was conducted by Incapsula, a company providing protection solutions against DDoS attacks, on 270 organizations in the US and Canada, from different industry sectors. The number of employees for each of them varies from 250 to 10,000.

Financial losses are not tied only to mitigating the incident

As per the information from the surveyed entities, 49% of the recorded DDoS attacks lasted between six to 24 hours. These are the cases where cost estimation is averaged at $40,000 / €32,180 for every hour of the attack. 15% of the respondents declared costs in excess of $100,000 / €80,500 per hour.

Incidents extending over the period of several days and even more than one week have also been reported.

According to Incapsula, the first half of the year saw a 350% increase in large-scale volumetric DDoS incidents, which are also getting more powerful and last longer. These are intended to exhaust the available network bandwidth, resulting in disruption of services.

The losses associated with DDoS attacks are not assessed strictly from the event mitigation standpoint and include the overall impact on the company.

“Costs are not limited to the IT group; they also have a large impact on units such as security and risk management, customer service, and sales.

“Additionally, most respondents who had been targeted experienced a variety of non-financial costs. 87% experienced at least one non-financial consequence, such as loss of customer trust, loss of intellectual property,” the report states.

In a little more than half of the cases surveyed, hardware and software had to be replaced, which also incurs expenses.

As it was expected, the IT division is the most affected from a financial point of view, followed by customer sales and the security/risk management unit.

Most companies do not use dedicated anti-DDoS technology

Getting the company back to the normal state of business is also an aspect that has to be taken into consideration because, in most of the cases, recovering from a DDoS attack can take months and sometimes even years, assessing the entire extent of the damage not being possible in all instances. What is certain is the fact that these incidents have a long-term effect.

As far as managing the incident is concerned, many of the respondents lacked the necessary plans and solutions for defending against DDoS attacks, some still relying on web application or network firewalls.

However, 43% of them stated that their organization used a dedicated solution for combating the DDoS threat.