Incident Response, TDR

On Cyber Monday, downed sites cost merchants $500K per hour, study finds

The holidays bring a surge in online sales for businesses, but those failing to protect their websites also face substantial losses, a recent study found.

Just an hour of downtime for a customer-facing website could cost a company nearly $500,000 on average during the Cyber Monday shopping frenzy – the Friday following Thanksgiving where merchants vie for online holiday sales, the report revealed.

Released Monday, “The 2013 eCommerce Cyber Crime Report: Safeguarding Brand and Revenue This Holiday Season” (PDF) weighed the business loss incurred by holiday cyber attacks, specifically those impacting organizations on Cyber Monday.

Sponsored by RSA Security, the study was independently conducted by the Ponemon Institute and included the responses of more than 1,100 IT practitioners in the U.S. and U.K.

While the average loss due to downed e-commerce sites spiked to half a million dollars on Cyber Monday, the average cost on a typical day reached $336,729 for businesses facing the issue for just an hour.

In addition, the study found that disgruntled customers who were unable to make a purchase on the site and decided not to return, caused estimated brand damage of $3.4 million on average companies.

Botnets and denial-of-service attacks topped the list of methods that miscreants used to bring down e-commerce websites.

On Monday, Demetrios Lazarikos, an IT threat strategist at RSA, told SCMagazine.com that many of the individuals surveyed were well aware of the increased threat during the holidays – but that this didn't always equate to companies taking additional security measures.

The study found that 64 percent of organizations saw significant increases in attack activity during high traffic days, including Cyber Monday. Surprisingly, only one-third of respondents said they were taking special precautions to make sure customer-facing websites remained available and secure.

“I think it's a combination of two things,” Lazarikos said. “They may have not been a victim in the past or realized they were attacked, meaning they don't know what they don't know,” he said.

“Or, they probably don't have full visibility via cyber threat intelligence or a mature information security and fraud program,” he added.

In the report, more than half of respondents, 51 percent, said that their organization doesn't have real time visibility into company sites “to detect the presence of a criminal.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.