The Cost of Getting Hacked

Running any business with an online presence means navigating security requirements, protecting your online assets and your customers’ details.

Unfortunately hacking is a common problem, so website security needs to be considered as an insurance policy. Protecting your online presence means investing in a security plan, and, at the very least, having a clear idea of what to do if you are hacked.

So what does it mean when a website is hacked?

There are various forms of hacking which can affect your online business – so whether you have a stand alone website from which prospects can complete a contact form, or you provide an ecommerce online shopping experience, you are at risk of being hacked at one time or another.

Having a security plan is important for all websites, regardless of ....

When a website is hacked there are two common scenarios.

Firstly, the hackers could simply edit your files, or add code into your site that affects visitors and site owners. A virus, spam content..

On the other hand, more serious issues could result in the hack job completely ruining everything on your server, including your content and precious files.

So what are the possible outcomes from these two scenarios?

Firstly, if your files have been edited, or malicious code had been inserted, this should be something that can be repaired without a complete overhaul. However, if the data on your server has been hacked and your entire site is ruined then you will have to replace your website.

The Cost:

  • Lost income
  • Loss of faith and trust that you are protecting your clients’ information.
  • Less likely to enter details into your site
  • Cleaning up your name in search engine results takes times and can scare away potential customers.
  • If the site is down, each day it takes to rebuild or get your site back up can also result in lost revenue

Hard costs of a hacked website

The hard costs are easy to calculate, they include:

  • The cost for a developer to repair the damage
  • Administrative costs of time spent communicating with your internal team, outside vendors and clients
  • Investment in preventative measures like moving to new hosting and preventative services, and
  • Hours your IT team spends investigating, researching and working on the problem.

While easy to add up, those costs are hard on your budget. Now, let’s take a look at the more insidious soft costs.

Soft costs of a hacked website. You may not get a direct bill for soft costs, but they add up. Here’s a breakdown of the soft costs of a hacked website.

Data Loss

Let’s start with a cost that shifts between a hard and a soft cost.

Yes, there’s a neat bill for data recovery, but you can’t put a price on the data itself – and its loss can be catastrophic.

The New York Times shares the story of small toy business Rokenbok, which fell victim to ransomware malware. Hackers held all of Rokenbok’s data for ransom. Rather than pay the ransom, the seven-person team took four days to reconstruct the system. And this wasn’t the first time the company had been hacked. The article, by Constance Gustke, states:

Focusing on revenue over protection is far from unusual for small companies like Rokenbok. But it is an increasingly dangerous path, experts say. Limited security budgets, outdated security and lax employees can leave holes that are easily exploited by ever-more-sophisticated digital criminals. While data loss alone is damaging, your data and your customer data can be stolen for malicious purposes causing exponentially more damage. The companies in this Information is Beautiful interactive graphic on the world’s biggest data breaches can attest to that.

Data loss, and any other ramification of website hacking, lead to the next soft cost.

Loss of Internal and External Confidence

Not only can you lose the trust of current and potential customers from a hacked website; there’s also a lot of finger-pointing. Your web company points to you for not updating your software, you point to the hosting provider because you thought they took care of the problem, the hosting provider says someone at your company didn’t change the password, and on and on it goes.

"This is often incorrectly placed blame," WhatArmy Founder Chris Merrill says, "It's on the business owner to put a risk management plan in place. It's just like insuring a car."

Loss of confidence leads to our next cost.

Disruption and Stress

Repairing a hack takes away from other business needs; and, instead of using valuable team members’ time growing the business, you’re using it to stop sinking.That cool new web project you were pushing to launch in hopes of expanding your business will get pushed further and further out on the calendar as your tech team halts development to fix the website … again. They're stressed, you're stressed and that ripples throughout the organisation.

We often discover malware on a site during setup or when a client comes to us for a web project. "This leads to a minimum of a half of a day of cleanup, which adds cost to whatever project they are doing, and delays it a bit," WhatArmy Service Director Chad Lord said, "Depending on the degree of infection, things can take longer and can hold up time-sensitive projects."

For example, a new client signed up with us to have some content added for an upcoming promotion. Chad explains: We found malware on the site as soon as we gained access to their environment. The last thing you want is to be drawing new visitors to your site and have their first experience be their local antivirus announcing that visiting your site could put them at risk. The promotion was time sensitive so we had to do emergency clean up and then post things to the site as quickly as possible. It pushed things back a day and added a whole new layer of stress to an otherwise simple announcement. In essence, when your site's hacked, marketing – and maybe the whole business – grinds to a halt while the site's malfunctioning from a hack or while it's down for more repair, which brings us to our next cost.

Loss of Revenue Due to Site Downtime

How many visitors and conversions would you lose if your site was down during peak hours for 1, 2 or even 3 days? This could mean a devastating loss of retail transactions, downloads, or other conversions contributing to your revenue stream. The hack might cause you to lose access to your site. While that’s stressful, as mentioned above, it’s also costly when employee time equals money out of your business and your site isn’t available to visitors.

Not only could a hacker lock you out of your site; your hosting company could shut down your site if it’s infected, causing more downtime and more lost revenue.

Chad gives an example involving a major hosting provider:

We were contracted to determine why a company's site was inaccessible. We found that their host ran a scan of their site, found malware, and shut down all access. They would not restore access to allow for cleanup or updates. We had to restore the site to a new location, with a different host, clean it up, and point traffic to the copy of the site to get it up and running. We copied things back to the hosting provider, and it took about a week for the cleaned site to be approved and re-enabled. At that point, we could point traffic back to the original location. In essence, they would have been down for over a week if we didn’t set them up somewhere else temporarily. And they were down for a day before we were even brought into the situation. We have dealt with this exact situation a few times now, and it is expensive and very disruptive. You know that when visitors can’t access your site or perform the functions they require from your site, you lose leads and can lose customers. You also might have to offer your customers something in return for their dissatisfaction. Then there’s the time that goes into customer support to help them accomplish manually what your site was supposed to automatically provide.

If Google has anything to say about it, you won't even have the opportunity to lose leads due to a hack, because visitors won't click to your site from the search results. When your site’s hacked, Google labels your search result as hacked or harmful.

Barry Schwartz highlights the practice in this Search Engine Land post, which states that "between 12 and 14 million search queries per day return warnings that at least one of the results listed in the Google search results were compromised," and "Google finds about 9,500 new malicious websites every day and sends ‘thousands of notifications daily to webmasters.’"

We’ve had clients come to us after discovering they’ve been hacked by seeing these Google results for their own company. Chad gives an example of how harmful this can be for your site: We had one company call us after they noticed that their search results were showing “This site might be hacked” next to their company name. If Google finds malicious code while indexing your site, they will post their findings to the world. This is a huge problem, as everyone who searches for you is basically being warned to avoid your site. We cleaned it up for them quickly, but you have to wait for Google to update their indexing. Even when you follow all proper channels, it still can take a week or two for Google to actually take down the message – even if you are clean. All of these costs make it impossible to actually put a number to the damage a website hack can do to your business. If Your Site’s Been Hacked, Don’t Let it Happen Again. You know the old (and annoying) saying, "fool me once, shame on you. Fool me twice, shame on me." Don’t be fooled again.

If the source isn’t caught, or if you don’t put proper, ongoing website maintenance in place, you’ll get hacked again. And, with big entities like Google and large hosting providers keeping tabs on your site, hackers aren’t the only ones raising your costs during an attack.

Set up proper website maintenance and support

You're now armed with the information to avoid devastating damage to your business. Fixing a hack without correcting your website maintenance process with an ongoing website maintenance plan leaves you vulnerable for future attacks. “If you are not patched, then it is like a big red beacon to the world saying 'Hey come see if you can hack my site.' If you are patched, they often don't bother with you," Chad explains.

Sure, complete remediation to clean up and restore the database will likely take a few billable hours by a technical expert and a regular website maintenance plan costs $XXX a month, but it just takes one hack to realize the value of proper website maintenance and support.