By: Bryan Halda, Solutions Architect
Elizabeth Whitney, Technical Editor
According to the Federal Emergency Management Agency (FEMA), a full 40% of small businesses do not reopen following a disaster, and 25% of those that do reopen fail within a year. You know disaster planning is key to recovering quickly and efficiently from a disaster, but the business never quite follows through on allocating the resources needed. Below are some statistics and resources to help you make the business case for disaster planning.
Before we get started: a disaster causes a significant business interruption and can be natural, such as hurricanes, floods, or wildfires, or man-made, such as cyber-crime or market crashes.
Natural and Man-Made Disasters
Natural disasters are becoming all too frequent. According to the National Oceanic and Atmospheric Administration (NOAA), 2017 was the costliest year on record: 16 billion-dollar disasters hit the US, costing in excess of $300 billion. Residents of Houston, Texas, know firsthand the devastating effects of natural disasters: Hurricane Harvey, which made landfall on Texas’s gulf coast in August 2017, cost over $125 billion, second only to Hurricane Katrina. NOAA has been tracking weather and climate disasters since 1980, during which period Texas has been subject to every type of major disaster, including droughts and heat waves, winter storms, tropical cyclones, flooding, wildfires, and severe local storms. In fact, NOAA reports that over the past nearly 40 years, the southern US has experienced the highest costs from damages caused by natural disasters.
In June 2018, insurer Lloyd’s released its City Risk Index, which finds that man-made threats, including cyber-crime, interstate conflicts, and market crashes, comprise a larger economic threat than natural disasters. Houston and Dallas both made the top-10 list of North American cities at risk, and their costliest threats are flood and market crash, respectively.
Reinsurer Swiss Re puts global insured losses from natural and man-made disasters in 2017 at just over $330 billion, which it notes is the highest ever recorded in a single year.
Cyber-attacks are also becoming more common. According to a recent report by internet security company Malwarebytes and Osterman Research, mid-sized companies (500–999 employees) suffer the greatest losses from cybercrime, and these crimes are frequent. In 2017, US businesses experienced an average of one attack every six months.
The US, in particular, is facing increased cyber-crime activity and associated costs. According to Kaspersky Lab’s 2018 edition of its annual B2B survey, North American companies face the highest costs related to data breaches: enterprises face price tags of $1.6 million per incident, while SMBs pay an average of $149,000.
The 2018 Cost of a Data Breach Study, by IBM Security and Ponemon Institute, finds that the average cost per lost or stolen data record is $148 (a 6.4% increase over last year), but the average cost savings with an incident response team is $14 per record. Likewise, the use of encryption reduced the per-record cost by $13. Conversely, the time to detect and contain a cyber incident has increased over the last year, which means higher costs. The study estimates that companies that take longer than 30 days to contain a breach pay nearly $1 million more to recover operations.
In a forthcoming white paper, Osterman Research finds that 65% of the security and compliance professionals surveyed confirmed that their organization was the victim of a successful cyber-attack in the last year. At the same time, less than a third felt their end-user training programs were sufficient, and a full 42% felt their ransomware defenses were inadequate. Attempting to keep pace with cyber-threats, though, the report finds that cybersecurity budgets will increase by an average of 7.4% in 2018.
The Costs of Downtime
The hidden costs of a disaster can be just as devastating. The loss of productivity is difficult to measure but can be loosely calculated as the hourly cost of downtime across your staff, i.e., the salaries you are obligated to pay in full even if your employees are only able to perform at half capacity due to IT outages. At the same time, lost productivity has cascading effects on brand reputation and customer confidence, which impacts a company’s bottom line.
A 2017 Osterman Research study finds that smaller businesses (fewer than 1,000 employees) that experienced ransomware attacks experienced 25 or more hours of downtime, costing an average of $100,000 per incident. This very real threat is a serious drain on information security budgets.
Fortune magazine analyzed 2,000 large corporations and 4,000 of their suppliers to get at the down-stream effects of natural and man-made disasters, or “shocks,” which highlights the interdependencies of production networks. The study found that while supplier firms hit by a shock experienced an average 5% dip in sales growth, their customers also experienced an average 2% drop in sales growth and a 1% drop in equity value. So, even if you’re out of the path of the storm, you could still feel the long-lasting and far-reaching effects of the disaster incident.
Start preparing today. Don’t wait until disaster strikes to consider how you will recover operations. Now is the time to take the first step.