The business cost of failed security compliance and downtime

Or the impact of the health of an IT environment on a business…as seen through the eyes of a marketer :)

All of us in marketing know the pains of promoting a product or service while also firefighting the backlash of it’s technical faux-pas or downtime. Putting any lack in performance down to such reasons — even when the proof is documented — is usually quickly dismissed and ignored. (too much work to fix and not enough budget, IT ain’t got no time for that and so on)

But there are solid reasons for which these things are now more important than ever and it’s important for every business to understand that throwing money around the problem and not fixing the underlying issues doesn’t work. No not only that…but it’s very limited time hot fix and a very expensive and long-term un-lucrative one.

My thoughts on the matter 👇

Warren Buffet said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

It feels like since the onset of the COVID 19, all the businesses in the world have been living through these crucial 5 minutes. The pressure to adapt, pivot and deal with the effects added to the massive expectations from their customers to be stellar in every way has been enormous.

One of the big buzzwords of this equation has been “digital transformation”. But what has that really meant so far?

For some, it meant taking marketing and sales operations from offline into the online, introducing automation, building tech stacks — everything at breakneck speeds.

For others, it meant supercharging the IT infrastructure to accommodate large workforces to work remotely in a secure way, ensuring enough capacity and 100% uptime for exponential traffic growth, and again security security security. Streaming services and gaming companies have literally exploded and while the opportunity for revenue was definitely booming, so have been the challenges to deliver and leave up to expectations.

What are you looking at in terms of damages?

Reputational Loss: Reputation is perhaps the most important asset to a company and is very difficult to protect. Losses emerging from reputation damage can be a greater risk to the company than any other and is practically incalculable.

Brand damage: This is one of the most difficult impacts to quantify. Brand damage could also result in loss of trust from consumers and this trust can be difficult to regain, potentially impact brand or reputation.

Compliance fines: Compliance fines vary depending on the nature of breach.

Privacy regulatory defense and penalties: Claims are made after a breach by various parties, particularly by consumers and banks. Legal defense expenses arise when companies are defending against those claims. According to a NetDiligence Cyber Liability and Data Breach Insurance Claims Study, the average cost for legal defense was $500,000 while the legal settlement costs averaged around $1 million per incident. (2015)

What are the costs of misconfigurations?

Many in the IT industry would agree that outages or downtimes are very bad for business. Bad service equals hits in service reputation amplified via social media and can end up very harmful financially even after remediation.

Now for the numbers…

Downtime can cost companies $10,000 per minute and up in web application downtime.

The average hourly cost of enterprise server downtime, worldwide 2019:

Average cost per hour of enterprise server downtime
Average cost per hour of enterprise server downtime

Source: Statista

The costs of failing a security compliance audit?

Besides the significant and obvious hit in terms of basic logistics needed for the business to function, the organization will lose credibility and suffer a reputational loss, which has an unmeasurable impact on the bottom line.

Target’s cyber attack from 2013 is a cautionary tale. The retail giant went from being one of the top 10 brands ranked by BrandIndex to number 21 by January of 2013. This was just months after their data breach was announced. Besides declines in sales, the company then spent significant money in various campaigns to regain this lost brand recognition.

In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen.

The company had to pay $18.5 million multistate settlement, the largest ever for a data breach but the total cost of the incident is said to have been over $202 million (the consumer class actions were still on-going in 2017).

  • Health insurers
  • Health care cleaning services
  • Any healthcare provider who transmits health information

Some of the penalties you’re looking at depending on the vertical industry

HIPAA (Health Insurance Portability and Accountability Act of 1996)

This type of compliance audit covers businesses within:

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can r ange from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. (Source: https://www.truevault.com/resources/compliance/how-much-do-hipaa-violations-cost#)

PCI-DSS (Payment Card Industry Data Security Standard)

Payment Card Industry (PCI) compliance is a set of regulations developed to ensure that the credit card industry is properly managing and securing customer data.

The DSS portion of this audit, Data Security Standard, are the regulations being placed on anyone who has to follow PCI compliance.

If your company neglects to adhere to these rules and regulations, you could receive a fine of up to $100,000 per month of noncompliance.

GDPR (General Data Protection Regulation)

The EU’s general data protection regulation is one of the most comprehensive government-imposed data privacy frameworks implemented to date. It applies both for European companies as well as any company that processes personal identifiable data of European citizens.

GDPR compliance violations can rack up pretty hefty fines. Failure to meet these regulations can amount to 20 million euros or 4% of the total annual turnover of the financial year, whichever is higher.

How to solve misconfigurations and security compliance?

Manual work is definitely not the answer!

Mostly because the complexity of today’s IT environment makes it difficult if not impossible to factor in all the new variables 24/7.

Then you’ve got migrations, upgrades and just basic things like keeping up with day to day checks — basic but many. Tools that help you manage the workload are not just nice-to-haves, they’re mission critical!

Runecast Analyzer for example, offers a centralized view of your IT virtual environment’s health and compliance, no matter what the complexity.

By connecting all your vCenters, AWS, Azure and Kubernetes API to a single, lightweight Runecast Analyzer virtual appliance, sysadmins can take control from a single dashboard. Runecast Analyzer engine has fully offline capabilities and can even be upgraded in offline mode. Its patented rules engine uses Artificial Intelligence (AI) and Natural Language Processing (NLP) to automatically discover misconfigurations in your environment that can cause failed security audits or trigger outages.

Originally published at https://www.runecast.com.

Growth Hacker and Essentialist, #Performance and all around Digital Enthusiast, user behaviour analyzer. Love reading, travelling, arts & all things Japanese.