The average distributed denial-of-service (DDoS) attack costs large businesses an average of $444,000 in lost revenue and subsequent IT spending, according to a recent survey by B2B International. The same poll found that DDoS attacks hit the bottom line of small-to-medium-sized businesses (SMBs) at an average clip of $52,000 per incident.

Kaspersky Lab sponsored the annual survey, conducted by B2B International, which polled 3,900 respondents from 27 countries about IT infrastructure challenges they faced from April 2013 through May 2014.

All businesses at risk
Businesses of all sizes were polled, with approximately 17 % coming from large enterprises (5,000 to 50,000 employees), 12% from the large/medium category (1,500 to 5,000), 25% from the medium/small (250 to 1,500) enterprise segment, and the remaining from small businesses.

Overall, nearly 1 in 5 businesses (18%) experienced a DDoS attack during the year-long study period. The polling then drilled down into business verticals that provide online financial services or operate public-facing websites. Among this subset that relies on 24/7 web access for clients, the survey found that 38% experienced at least one DDoS attack during the study period.

When this subset was broken down into specific business verticals, the poll found that 49% of IT/technology firms suffered at least one DDoS incident during the study period, followed by e-commerce sites (44%), telecommunications (44%), media (42%), construction/engineering (40%) and finance (39%).

Downtime = Money
The most frequent effects of DDoS attacks include slow-loading web pages, inability to complete online transactions, or complete service disruption – all of which weigh heavily on a business that relies on the web for revenue. Survey respondents listed potential losses in revenue (33%) and damage to company brand (38%) as the two most negative outcomes from a DDoS attack. This is in lockstep with their management’s concerns, who list loss of revenue (26%) and customer trust (23%) as the most feared outcomes of such an attack.

A disconnect between the potential threat of DDoS and investments to detect or mitigate these attacks is apparent when dissecting the survey. For example, media companies were fourth on the list of most targeted, by only 38% of respondents from these firms listed DDoS countermeasures as a security priority. Among e-commerce respondents, whose businesses may be most heavily affected by the effects of a DDoS attack, only 41% noted DDoS security investment as a priority. 

“Even if a company does not have a public-facing website, its finances and reputation can be seriously affected by DDoS attacks”, said Eugene Vigovsky, head of DDoS protection at Kaspersky Lab, in a statement. “It is known that DDoS can be organized not only to incapacitate online services or for ransom, but also to mask other cybercriminal activities, such as targeted attacks…to gain access to confidential data.”

Watching your availability
When it comes to online security, most organizations tend to focus on the confidentiality or integrity of data and services, often at the expense of availability, noted Lenin Aboagye, Director of IT, cloud and product security for data center provider IO. He told DatacenterDynamics that companies experiencing DDoS-related downtime stand to lose money every minute their web services are affected.

“If you operate a downed e-commerce site, and people cannot make a purchase especially during this holiday season, then losses can be substantial”, he added. “Most organizations do not look into this area of security because it’s not considered a data breach event that requires customer notification.”