The business cost of failed security compliance and downtime

Or the impact of the health of an IT environment on a business…as seen through the eyes of a marketer :)

All of us in marketing know the pains of promoting a product or service while also firefighting the backlash of it’s technical faux-pas or downtime. Putting any lack in performance down to such reasons — even when the proof is documented — is usually quickly dismissed and ignored. (too much work to fix and not enough budget, IT ain’t got no time for that and so on)

But there are solid reasons for which these things are now more important than ever and it’s important for every business to understand that throwing money around the problem and not fixing the underlying issues doesn’t work. No not only that…but it’s very limited time hot fix and a very expensive and long-term un-lucrative one.

My thoughts on the matter 👇

Warren Buffet said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

One of the big buzzwords of this equation has been “digital transformation”. But what has that really meant so far?

For some, it meant taking marketing and sales operations from offline into the online, introducing automation, building tech stacks — everything at breakneck speeds.

For others, it meant supercharging the IT infrastructure to accommodate large workforces to work remotely in a secure way, ensuring enough capacity and 100% uptime for exponential traffic growth, and again security security security. Streaming services and gaming companies have literally exploded and while the opportunity for revenue was definitely booming, so have been the challenges to deliver and leave up to expectations.

What are you looking at in terms of damages?

Brand damage: This is one of the most difficult impacts to quantify. Brand damage could also result in loss of trust from consumers and this trust can be difficult to regain, potentially impact brand or reputation.

Compliance fines: Compliance fines vary depending on the nature of breach.

Privacy regulatory defense and penalties: Claims are made after a breach by various parties, particularly by consumers and banks. Legal defense expenses arise when companies are defending against those claims. According to a NetDiligence Cyber Liability and Data Breach Insurance Claims Study, the average cost for legal defense was $500,000 while the legal settlement costs averaged around $1 million per incident. (2015)

What are the costs of misconfigurations?

The IT Process Institute’s Visible Ops Handbook reported in the past that “80% of unplanned outages are due to ill-planned changes made by administrators (“operations staff”) or developers” .

The Enterprise Management Association reported that 60% of availability and performance errors are the result of misconfigurations.(Visible Ops).

Now for the numbers…

Downtime can cost companies $10,000 per minute and up in web application downtime.

The average hourly cost of enterprise server downtime, worldwide 2019:

Average cost per hour of enterprise server downtime
Average cost per hour of enterprise server downtime

Source: Statista

The costs of failing a security compliance audit?

Target’s cyber attack from 2013 is a cautionary tale. The retail giant went from being one of the top 10 brands ranked by BrandIndex to number 21 by January of 2013. This was just months after their data breach was announced. Besides declines in sales, the company then spent significant money in various campaigns to regain this lost brand recognition.

In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen.

The company had to pay $18.5 million multistate settlement, the largest ever for a data breach but the total cost of the incident is said to have been over $202 million (the consumer class actions were still on-going in 2017).

  • Health insurers
  • Health care cleaning services
  • Any healthcare provider who transmits health information

Some of the penalties you’re looking at depending on the vertical industry

HIPAA (Health Insurance Portability and Accountability Act of 1996)

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can r ange from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. (Source: https://www.truevault.com/resources/compliance/how-much-do-hipaa-violations-cost#)

PCI-DSS (Payment Card Industry Data Security Standard)

The DSS portion of this audit, Data Security Standard, are the regulations being placed on anyone who has to follow PCI compliance.

If your company neglects to adhere to these rules and regulations, you could receive a fine of up to $100,000 per month of noncompliance.

GDPR (General Data Protection Regulation)

GDPR compliance violations can rack up pretty hefty fines. Failure to meet these regulations can amount to 20 million euros or 4% of the total annual turnover of the financial year, whichever is higher.

Application maintenance costs are increasing at an annual rate of 20%. But that can’t solve all of your problems. A past industry survey revealed that at least one-quarter of polled downtime was caused by configuration errors.

How to solve misconfigurations and security compliance?

Mostly because the complexity of today’s IT environment makes it difficult if not impossible to factor in all the new variables 24/7.

Then you’ve got migrations, upgrades and just basic things like keeping up with day to day checks — basic but many. Tools that help you manage the workload are not just nice-to-haves, they’re mission critical!

Runecast Analyzer for example, offers a centralized view of your IT virtual environment’s health and compliance, no matter what the complexity.

By connecting all your vCenters, AWS, Azure and Kubernetes API to a single, lightweight Runecast Analyzer virtual appliance, sysadmins can take control from a single dashboard. Runecast Analyzer engine has fully offline capabilities and can even be upgraded in offline mode. Its patented rules engine uses Artificial Intelligence (AI) and Natural Language Processing (NLP) to automatically discover misconfigurations in your environment that can cause failed security audits or trigger outages.

Originally published at https://www.runecast.com.

Growth Hacker and Essentialist, #Performance and all around Digital Enthusiast, user behaviour analyzer. Love reading, travelling, arts & all things Japanese.