The business costs of failed security compliance & downtime

For others, it meant supercharging the IT infrastructure to accommodate large workforces to work remotely in a secure way, ensuring enough capacity and 100% uptime for exponential traffic growth, and again security security security. Streaming services and gaming companies have literally exploded and while the opportunity for revenue was definitely booming, so have been the challenges to deliver and leave up to expectations.

What are you looking at in terms of damages?

Reputational Loss: Reputation is perhaps the most important asset to a company and is very difficult to protect. Losses emerging from reputation damage can be a greater risk to the company than any other and is practically incalculable.

Brand damage: This is one of the most difficult impacts to quantify. Brand damage could also result in loss of trust from consumers and this trust can be difficult to regain, potentially impact brand or reputation.

Compliance fines: Compliance fines vary depending on the nature of breach.

Privacy regulatory defense and penalties: Claims are made after a breach by various parties, particularly by consumers and banks. Legal defense expenses arise when companies are defending against those claims. According to a NetDiligence Cyber Liability and Data Breach Insurance Claims Study, the average cost for legal defense was $500,000 while the legal settlement costs averaged around $1 million per incident. (2015)

What are the costs of misconfigurations?

Many in the IT industry would agree that outages or downtimes are very bad for business. Bad service equals hits in service reputation amplified via social media and can end up very harmful financially even after remediation.

The IT Process Institute's Visible Ops Handbook reported in the past that "80% of unplanned outages are due to ill-planned changes made by administrators ("operations staff") or developers" (Visible Ops).

The Enterprise Management Association reported that 60% of availability and performance errors are the result of misconfigurations.

Now for the numbers...

Downtime can cost companies $10,000 per minute and up in web application downtime.

The average hourly cost of enterprise server downtime, worldwide 2019:

Full list of CVEs listed in this patch

The costs of failing a security compliance audit?

Besides the significant and obvious hit in terms of basic logistics needed for the business to function, the organization will lose credibility and suffer a reputational loss, which has an unmeasurable impact on the bottom line.

Target's cyber attack from 2013 is a cautionary tale. The retail giant went from being one of the top 10 brands ranked by BrandIndex to number 21 by January of 2013. This was just months after their data breach was announced. Besides declines in sales, the company then spent significant money in various campaigns to regain this lost brand recognition.

In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen.

The company had to pay $18.5 million multistate settlement, the largest ever for a data breach but the total cost of the incident is said to have been over $202 million (the consumer class actions were still on-going in 2017).

Some of the penalties you're looking at depending on the vertical industry

HIPAA (Health Insurance Portability and Accountability Act of 1996)

This type of compliance audit covers businesses within:

Health insurers
Health care cleaning services
Any healthcare provider who transmits health information

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. (Source: https://www.truevault.com/resources/compliance/how-much-do-hipaa-violations-cost#)

PCI-DSS (Payment Card Industry Data Security Standard)

Payment Card Industry (PCI) compliance is a set of regulations developed to ensure that the credit card industry is properly managing and securing customer data.

The DSS portion of this audit, Data Security Standard, are the regulations being placed on anyone who has to follow PCI compliance.

If your company neglects to adhere to these rules and regulations, you could receive a fine of up to $100,000 per month of noncompliance.

GDPR (General Data Protection Regulation)

The EU’s general data protection regulation is one of the most comprehensive government-imposed data privacy frameworks implemented to date. It applies both for European companies as well as any company that processes personal identifiable data of European citizens.

GDPR compliance violations can rack up pretty hefty fines. Failure to meet these regulations can amount to 20 million euros or 4% of the total annual turnover of the financial year, whichever is higher.

How to solve misconfigurations and security compliance?

Manual work is definitely not the answer!

Mostly because the complexity of today's IT environment makes it difficult if not impossible to factor in all the new variables 24/7.

Application maintenance costs are increasing at an annual rate of 20%. But that can’t solve all of your problems. A past industry survey revealed that at least one-quarter of polled downtime was caused by configuration errors.

Then you've got migrations, upgrades and just basic things like keeping up with day to day checks - basic but many.

Runecast Analyzer offers a centralized view of your IT virtual environment’s health and compliance, no matter what the complexity.

By connecting all your vCenters, AWS and Kubernetes API to a single, lightweight Runecast Analyzer virtual appliance, you can take control from a single dashboard. Runecast Analyzer engine has fully offline capabilities and can even be upgraded in offline mode. Its patented rules engine uses Artificial Intelligence (AI) and Natural Language Processing (NLP) to automatically discover misconfigurations in your environment that can cause failed security audits or trigger outages.