The hidden costs of systems downtime

Forrester Research interviewed security managers at 50 blue chip companies. While most recognised the potential damage caused by systems outage, few could quantify the cost of such incidents.

More than half of the respondents indicated that a one-day outage would have a disastrous effect on their business, and a food and drink company said that it would lose $2m for every hour of systems downtime.

A security manager at a manufacturing company pointed out that the Nimda virus had affected the company’s order fulfilment capabilities, and a healthcare company recognised that a systems outage could have a devastating effect on its reputation.

Damage to reputation

‘If our systems went down, we’d be crippled,’ said the company’s security manager. ‘And it’s not just the direct effects that matter. The PR damage associated with an incident would be hard to recover from.’

Despite the potential damage, less than half of the interviewees knew the exact cost of responding to security incidents.

Up to 60% of respondents said that they couldn’t calculate their losses because costs were too difficult to determine.

‘We can’t seem to quantify the cost of responding to incidents,’ explained the security manager of one telco. ‘Because it’s so difficult to sort out all the pieces, we just simplify and track time spent and equipment required. So we only get the tip of the iceberg.’

Other companies also said that they had found difficulties in quantifying the cost of responding to incidents.

‘We haven’t quantified the cost of responding to incidents yet, and we won’t until we have a very major incident,’ said the security manager of a financial company. ‘The Nimda worm was a wake-up call for us, and perhaps a harbinger of things to come.’

Growing fears over security incidents appear to be justified, as 90% of interviewees reported having security breaches in the past year. Open networks and viruses are the biggest concerns.

Despite these anxieties, just 28% of respondents allocated funds directly to incident response. The majority of managers include such expenditure in general IT costs.

‘We certainly don’t have a budget item for incident response,’ said one retail company. ‘In fact, we don’t even have a security line-item on our IT budget for next year because we can’t show return on investment yet.’

Lack of expert resources

Virtual response teams are generally created from internal systems and network administration staff. And less than a third of security managers use the help of external expert resources, such as consultants or outsourcers.

The security manager at a wholesale company said that the company’s virtual response team included security workers, server specialists, network administrators and technical support staff.

Another security manager at a telecoms company explained that it was difficult to keep virtual team members up to speed.

‘We assign people to the team as needed,’ he said. ‘At the end of day, however, there are only three people I know I can depend on.’