Identity Access Management Disasters:
The True Cost of Downtime
Based on an interview with Kayla Williams, CISO @Devo.
We’ve done some homework on the subject and are ready to take you on a ride through the dynamic, and occasionally detrimental, experience of identity access management disasters.
If your business has been left untouched so far, you might assume that IAM catastrophes happen only to the unlucky few. The truth is they can bring even the mightiest operations to fully fledged business continuity disruption, disrupting your operational flow, from workflows to full-scale system failures.
Let’s delve into some revealing statistics.
According to research, a whopping 96% of key stakeholders have experienced some form of business downtime.
In fact, 1 out of every 5 businesses has experienced downtime in the last three years. What’s more, IT managers and decision makers alike have fallen victims to at least one downtime event that affected business continuity.
We’re about to present some significant data, courtesy of the insights from Business Wire. They report that over 60% of failures result in losses exceeding $100,000. That number has shot up since 2019, and the stakes keep getting higher.
The share of outages costing over a million dollars has jumped from 11% to 15% in that same period.
Those are some pretty sizable numbers to swallow, and organizations simply can’t afford to experience the negative impression and impact downtime has on business agility.
CISOs and risk managers are taking more proactive measures in identifying the risk and financial costs associated with downtime or disasters, especially when it comes to evaluating the resources in place for Identity Access Management (IAM). Beyond financial loss, the impact on your brand and productivity are critical. Understanding the different aspects and ways to quantify the potential loss.
We’re here to shed some light on the situation and help you understand just how much impact downtime can have on your business agility.
Enter the scene:
CISO extraordinaire, Kayla Williams from Devo. We had a chance to catch up with her and get a breakdown on some of the most critical financial costs that IAM disasters can turn out.
Starting with the dollar value of a customer, and ranging to the cost of manpower required to ensure recovery, nearly every element of financial and business continuity are impacted, and preventative action is now an organization’s responsibility.
Financial Implications of IAM Disasters
A recent study looked at the stocks of 28 companies that suffered breaches affecting a million people or more.
Astoundingly, these companies actually underperformed the market in the long run. Painful.
We’re referencing breaches from as early as the TJ Maxx incident in 2007 and the Royal Bank of Scotland breach in 2008, all the way up to more recent ones involving Under Armour and Equifax. These breaches didn’t just cause momentary dips in stock prices. According to the study, companies hit their lowest point in share prices roughly 14 market days after a breach.
Talk about a lasting impact.
Building a customer base is a process and one that can take years of financial investments and marketing resources.
Maintaining a loyal customer base isn’t just about ensuring products and services are available and viably meet market needs. Your brand reputation and the security of customer data are your springboard to retaining and extending the lifetime value of clientele. One of the most clear examples of financial loss with downtime depends heavily on both how your customer data and user access and experience are impacted.
Williams shares that if, for example, the financial value of your customer equates to roughly $250 million, depending on your risk tolerance, your downtime could have a catastrophic impact on ROI and brand reputation.
According to a 2021 report, the average period for downtime following ransomware attacks is approximately 20 days. Imagine what nearly three weeks of recovery time could do to your business continuity, particularly with the weight of customer value reaching millions of dollars. To add to the open wounds, 30% of businesses surveyed indicated they needed more than a day for disaster recovery, which is plenty of time for customers to experience the financial and operational impact of your outage.
Think of organizations in industries like finance, insurance, law investigations, and government that rely heavily on data for investigations accessed through your platform.
Their losses could be painstakingly high.
To be truly prepared for disaster recovery, over and above creating a strategic plan, from communication and stakeholders, to actionable tasks, and procedures, organizations need to do their math homework by identifying their risk tolerance levels and evaluating potential loss.
Williams emphasizes that if losing a $250 million customer as a result of an outage is a financial risk that could bring your business to bankruptcy, having a disaster recovery plan and solution in place isn’t just a paddle in a sea of technological chaos – it’s a lifeboat.
The Impact on Brand and Reputation
Let’s switch gears for a moment and talk about brand and reputation.
In this age of social media domination, it’s crucial to understand just how much disaster recovery affects your brand. IDC’s Worldwide State of Data Protection & DR Survey shares that an alarming 40% of IT disruptions actually damage brand reputation, plus over 40% of companies lose critical data due to outages.
Your PR nightmare might just be waiting to happen.
But here’s the kicker.
You can’t just blame your third-party tools and vendors for these disasters.
There are no more scapegoats when clients interface directly with you.
Taking full responsibility is the only fair play on the field.
Customers won’t hesitate to abandon your services if they read concerning negative reviews.
The whole pointing fingers act and saying,
“it’s not my fault, it’s my vendor’s” simply doesn’t fly with customers, said Kayla.
In fact, a staggering 60% of customers abandon vendors based on those dreaded negative reviews, with 78% of purchasing decisions influenced by social media. And if your business reputation score rises from average to excellent customers can gain over 3 times the trust in vendors. Customer experiences are transparent, online, and have massive impact, never to be underestimated.
Williams also insightfully and cautiously notes that despite owing or promising customers rebates for downtime based on contracts, if you’ve lost the customer’s trust, you might have lost the customer.
The painful truth is people talk, and Williams humbly notes that the security industry is a web of intertwined networks within which word gets around quickly.
Any fiascos will be the talk of the town sooner than later.
Customers share their experiences with industry peers, and negative impact on business somehow reaches watercooler conversations, on and offline, faster than imaginable.
The cost of downtime extends far and beyond just your customers and their productivity.
Your productivity losses aren’t just visible, they are concretely measurable.
Try some of these painfully expensive statistics on for size that will pinch the “P” in productivity:
- Over 50% of outages result in productivity loss.
- Over 90% of enterprises tell us that downtime expenditure can reach over $300k per hour, and just shy of 45% of enterprises can reach outage costs of $1 million per hour.
- While just under 20% of enterprises can hit a whopping $5 million per hour cost with outages.
Disasters in your IAM system can directly impact internal productivity.
Organizations that depend on developer apps and IT resources could experience a full stop to operations if an outage occurs. Williams shared one way to quantify productivity loss if we consider the dollar value of a full-time employee (FTE) in the US.
If a few years ago every head counted averaged $100,000 per year, then with the current market conditions and inflation, we can expect this number to have gone up. If software engineers can’t access platforms for dozens, or even hundreds of hours, multiply that number by your headcount.
Sadly, you could be looking at millions of dollars with dozens of employees twiddling their thumbs.
IT failures can cost employees just under 550 hours of productivity loss every year.
To add to the staggering stats, over 50% of employees indicated waiting several hours, (if not days), for resolution and rectified operational access, especially with remote work increasing. Even though Human Resources doesn’t always have the tools to track losses associated with internal productivity, the direct impact is clear when numbers drop and output is lacking.Bottom line: if productivity pauses, revenue is directly affected.
The trickle down effects are as far reaching as going back to customer satisfaction and brand reputation.
The Importance of Business Impact Assessment (BIA)
Let’s leave all the fear factors aside, and think about action.
Conducting a business impact assessment (BIA) is one of the best and most accurate ways to quantify and manage the risks of outages and disasters. Organizations identify critical business functions and mission critical assets that directly depend on IAM systems and access, while also evaluating potential impact of downtime on productivity and the element of operational workflows that rely on IAM.
Comprehensive BIAs include an analysis of the costs associated with downtime, including financial, legal, regulatory impacts and fines, reputational, relational, and productivity losses.
The impacts of IAM disasters are profound, affecting not just financial stability but brand reputation and operational efficiency. Proactive measures, like conducting a Business Impact Assessment (BIA), are essential in navigating these challenges and safeguarding business continuity.