On Cyber Monday, downed sites cost merchants $500K per hour, study finds

Share this article:

The holidays bring a surge in online sales for businesses, but those failing to protect their websites also face substantial losses, a recent study found.

Just an hour of downtime for a customer-facing website could cost a company nearly $500,000 on average during the Cyber Monday shopping frenzy – the Friday following Thanksgiving where merchants vie for online holiday sales, the report revealed.

Released Monday, “The 2013 eCommerce Cyber Crime Report: Safeguarding Brand and Revenue This Holiday Season” (PDF) weighed the business loss incurred by holiday cyber attacks, specifically those impacting organizations on Cyber Monday.

Sponsored by RSA Security, the study was independently conducted by the Ponemon Institute and included the responses of more than 1,100 IT practitioners in the U.S. and U.K.

While the average loss due to downed e-commerce sites spiked to half a million dollars on Cyber Monday, the average cost on a typical day reached $336,729 for businesses facing the issue for just an hour.

In addition, the study found that disgruntled customers who were unable to make a purchase on the site and decided not to return, caused estimated brand damage of $3.4 million on average companies.

Botnets and denial-of-service attacks topped the list of methods that miscreants used to bring down e-commerce websites.

On Monday, Demetrios Lazarikos, an IT threat strategist at RSA, told SCMagazine.com that many of the individuals surveyed were well aware of the increased threat during the holidays – but that this didn't always equate to companies taking additional security measures.

The study found that 64 percent of organizations saw significant increases in attack activity during high traffic days, including Cyber Monday. Surprisingly, only one-third of respondents said they were taking special precautions to make sure customer-facing websites remained available and secure.

“I think it's a combination of two things,” Lazarikos said. “They may have not been a victim in the past or realized they were attacked, meaning they don't know what they don't know,” he said.

“Or, they probably don't have full visibility via cyber threat intelligence or a mature information security and fraud program,” he added.

In the report, more than half of respondents, 51 percent, said that their organization doesn't have real time visibility into company sites “to detect the presence of a criminal.”

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.