What happens when a large organization faces DDoS attacks, software failures, or even a company-wide hack? While the direct costs of unplanned downtime are easily visible, organizations should not underestimate the indirect, or hidden costs of digital failures. Therefore, it’s important to be prepared for the unexpected, rather than focusing all attention on preventing unplanned downtime.

Unplanned downtime

Last month, Netflix released a documentary series about the Ashley Madison data breach. Ashley Madison, a commercial dating website aimed to enable extramarital affairs, was shut down after an unknown person or group called ‘The Impact Team’ threatened to expose the identity of the website’s users.

The owners of the website didn’t cave, which led the so-called Impact Team to release more than 60 gigabytes of company data, including the real names of the users, home addresses, search history, and chats. Security researchers found poor security in the website’s source code, together with made-up cybersecurity certifications. Additionally, the $19 fee that users paid to erase their data completely ended up directly in the company’s profit – without any data actually being deleted.

After the hack, the website went live again – and it remains operational today with more than 70 million members, according to a 2020 report. Whether the Ashley Madison hack turned out to be detrimental for the company in the long run can therefore be disputed. Undoubtedly, it was disastrous for the users whose data was published for everyone to access.

Costs of downtime

While Ashley Madison might be an extreme case, it shows that unplanned downtime has a large range of consequences – both directly in the form of lost revenue, and indirectly in the form of a tarnished brand reputation, diminished shareholder value, and delayed time-to-market. And unplanned downtime is no rare occasion: annually, Global 2000 companies lose $400B, or 9 percent of profits, when digital environments fail unexpectedly, Splunk released in their report The Hidden Costs of Downtime.

Unsurprisingly, revenue loss is the number one cost. Due to downtime, lost revenue was calculated as $49M annually, according to the report, and it can take 75 days for that revenue to recover. The second largest cost is regulatory fines, averaging $22M per year, while missed SLA penalties come in third at $16M.

Cyberattacks drain budgets too. When experiencing a ransomware attack, 67 percent of surveyed CFOs advised their CEO and board of directors to pay up, either directly to the perpetrator, through insurance, a third party, or all three. The combination of ransomware and extortion payouts costs $19M annually.

This also causes innovation to slow down: 74 percent of technology executives surveyed experienced delayed time-to-market, and 64 percent experienced stagnant developer productivity. After unplanned downtime, teams had to shift from high-value work to applying software patches and participating in postmortems, leading to a loss in productivity.

Recovery time

The cost of downtime in Europe reaches $198M, according to the report. Due to stricter rules on workforce oversight and cyber regulation, European organizations paid more than American organizations in both overtime wages ($12M) and in recovering from backups ($9M). Geography also shapes how quickly an organization recovers financially post-incident, the report showed: Europe and APAC hold the longest recovery times, while companies in Africa and the Middle East recover the fastest.

This makes it clear that CISOs should not only focus on preventing unplanned downtime but also on reducing recovery time. Be prepared for the unexpected: this will not only save you significant revenue loss but also give your organization less unwanted media attention and a better customer experience, thereby shielding you from those hidden costs a bit more.