What is the Cost of a Hacked Website?
As a marketer, you do a lot.
You’re responsible for branding, collateral, brand awareness, events, partnerships, capturing and nurturing leads, email, social media, content, SEO, advertising, analytics and more.
Whew! That’s a lot – but it’s what you’re good at and what you love (well, most days).
Sometimes, though, you’re also responsible for things that go beyond your expertise – like maintaining your company’s website.
And, when we say maintaining, we’re not talking about managing the content in your CMS or the contacts in your CRM – you’re cool with that (again, most days).
The website maintenance you shouldn’t have to manage includes making sure your site runs smoothly, performs well every day, and is secure from harm.
Sure, when your site occasionally hiccups, you send a ticket off to IT land, it seems to be fixed, and marketing rolls on.
The trouble happens when the hiccup turns out to be a hack.
You might be thinking, “We’ve never been hacked, and it probably won’t happen to us. Anyway, if it does, we’ll have IT fix it.”
Let’s break that statement down.
“We’ve never been hacked, and it probably won’t happen to us.”
If you’ve never been hacked, congratulations! That’s awesome!
Anyone who has been hacked probably isn’t reading this post because they already know the cost and know that it just takes getting hacked once to start managing their website correctly.
Unfortunately, without proper maintenance, your chances of getting hacked are pretty good.
According to its the SophosLabs Security Threat Report, “SophosLabs identifies an average of 30,000 newly-infected web pages each day. More than 80 percent of these web pages are on innocent web servers, which have been hacked by cybercriminals to make them part of the problem.”
Website hacks are so prevalent, there’s a roundup post of the most innovative and damaging hacks of 2015.
Hacks are especially popular on WordPress due in most part to the platform’s popularity. Justin Handley wrote an excellent post on why WordPress websites get hacked.
“Anyway, if it does, we’ll have IT fix it”
A hacked website is often not as simple as having IT fix it.
Some of our clients come to us after a back-and-forth between the marketing team and their internal IT team when their website breaks. The IT team removes some malicious code, but doesn’t get it all, so the site temporarily works again. Then, a week later, you’re calling IT to fix it again. They remove malware but haven’t fixed the source of the problem – whatever vulnerability caused the infection to begin with – and it happens again. At this point, the valuable time and expense of the IT team is exhausted as they’re pulled away from other important tasks, and the marketing team seeks outside help from a support company.
Then, by the time you clean up the site and are ready to get back on track, other entities that have discovered you’re hacked might get in the way – like your hosting company or search engines (more on this later).
Why fix what isn’t broken?
Even with strong warnings, most people – especially business leaders – don’t like to fix things that aren’t broken.
If you think your website maintenance plan is broken – or nonexistent – read on to discover the costs of a hacked website and pass them on to your business powers-that-be.
Costs of a website hack
A hacked website costs much more than you can quantify in an invoice, so we’ll outline it here, broken out by hard and soft cost – although there’s a lot of crossover as the soft costs end up costing the company a LOT.
Hard costs of a hacked website
The hard costs are easy to calculate because you get bills and receipts for them.
- The cost for a developer to repair the damage,
- Administrative costs of time spent communicating with your internal team, outside vendors and clients,
- Investment in preventative measures like moving to new hosting and preventative services, and
- Hours your IT team spends investigating, researching and working on the problem.
While easy to add up, those costs are hard on your budget. Now, let’s take a look at the more insidious soft costs.
Soft costs of a hacked website
You may not get a direct bill for soft costs, but they add up. That’s why we’ll spend most of our time here.
Here’s a breakdown of the soft costs of a hacked website.
Let’s start with a cost that waffles between a hard and a soft cost.
Yes, there’s a neat bill for data recovery, but you can’t put a price on the data itself – and its loss can be catastrophic.
The New York Times shares the story of small toy business Rokenbok, which fell victim to ransomware malware. Hackers held all of Rokenbok’s data for ransom. Rather than pay the ransom, the seven-person team took four days to reconstruct the system. And this wasn’t the first time the company had been hacked.
The article, by Constance Gustke, states:
Focusing on revenue over protection is far from unusual for small companies like Rokenbok. But it is an increasingly dangerous path, experts say. Limited security budgets, outdated security and lax employees can leave holes that are easily exploited by ever-more-sophisticated digital criminals.
While data loss alone is damaging, your data and your customer data can be stolen for malicious purposes causing exponentially more damage. The companies in this Information is Beautiful interactive graphic on the world’s biggest data breaches can attest to that.
Data loss, and any other ramification of website hacking, lead to the next soft cost.
Loss of Internal and External Confidence
Not only can you lose the trust of current and potential customers from a hacked website; there’s also a lot of finger-pointing.
Your web company points to you for not updating your software, you point to the hosting provider because you thought they took care of the problem, the hosting provider says someone at your company didn’t change the password, and on and on it goes.
“This is often incorrectly placed blame,” WhatArmy Founder Chris Merrill says, “It’s on the business owner to put a risk management plan in place. It’s just like insuring a car.”
Loss of confidence leads to our next cost.
Disruption and Stress
Repairing a hack takes away from other business needs; and, instead of using valuable team members’ time growing the business, you’re using it to stop sinking.
That cool new web project you were pushing to launch in hopes of expanding your business will get pushed further and further out on the calendar as your tech team halts development to fix the website … again.
They’re stressed, you’re stressed and that ripples throughout the organization.
We often discover malware on a site during setup or when a client comes to us for a web project.
“This leads to a minimum of a half of a day of cleanup, which adds cost to whatever project they are doing, and delays it a bit,” WhatArmy Service Director Chad Lord said, “Depending on the degree of infection, things can take longer and can hold up time-sensitive projects.”
For example, a new client signed up with us to have some content added for an upcoming promotion. Chad explains:
We found malware on the site as soon as we gained access to their environment. The last thing you want is to be drawing new visitors to your site and have their first experience be their local antivirus announcing that visiting your site could put them at risk. The promotion was time sensitive so we had to do emergency clean up and then post things to the site as quickly as possible. It pushed things back a day and added a whole new layer of stress to an otherwise simple announcement.
In essence, when your site’s hacked, marketing – and maybe the whole business – grinds to a halt while the site’s malfunctioning from a hack or while it’s down for more repair, which brings us to our next cost.
Loss of Revenue Due to Site Downtime
How many visitors and conversions would you lose if your site was down during peak hours for 1, 2 or even 3 days? This could mean a devastating loss of retail transactions, downloads, or other conversions contributing to your revenue stream.
The hack might cause you to lose access to your site. While that’s stressful, as mentioned above, it’s also costly when employee time equals money out of your business and your site isn’t available to visitors.
Not only could a hacker lock you out of your site; your hosting company could shut down your site if it’s infected, causing more downtime and more lost revenue.
Chad gives an example involving a major hosting provider:
We were contracted to determine why a company’s site was inaccessible. We found that their host ran a scan of their site, found malware, and shut down all access. They would not restore access to allow for cleanup or updates. We had to restore the site to a new location, with a different host, clean it up, and point traffic to the copy of the site to get it up and running. We copied things back to the hosting provider, and it took about a week for the cleaned site to be approved and re-enabled. At that point, we could point traffic back to the original location. In essence, they would have been down for over a week if we didn’t set them up somewhere else temporarily. And they were down for a day before we were even brought into the situation. We have dealt with this exact situation a few times now, and it is expensive and very disruptive.
You know that when visitors can’t access your site or perform the functions they require from your site, you lose leads and can lose customers. You also might have to offer your customers something in return for their dissatisfaction. Then there’s the time that goes into customer support to help them accomplish manually what your site was supposed to automatically provide.
If Google has anything to say about it, you won’t even have the opportunity to lose leads due to a hack, because visitors won’t click to your site from the search results. When your site’s hacked, Google labels your search result as hacked or harmful.
Barry Schwartz highlights the practice in this Search Engine Land post, which states that “between 12 and 14 million search queries per day return warnings that at least one of the results listed in the Google search results were compromised,” and “Google finds about 9,500 new malicious websites every day and sends ‘thousands of notifications daily to webmasters.’”
We’ve had clients come to us after discovering they’ve been hacked by seeing these Google results for their own company.
Chad gives an example of how harmful this can be for your site:
We had one company call us after they noticed that their search results were showing “This site might be hacked” next to their company name. If Google finds malicious code while indexing your site, they will post their findings to the world. This is a huge problem, as everyone who searches for you is basically being warned to avoid your site.
We cleaned it up for them quickly, but you have to wait for Google to update their indexing. Even when you follow all proper channels, it still can take a week or two for Google to actually take down the message – even if you are clean.
All of these costs make it impossible to actually put a number to the damage a website hack can do to your business.
If Your Site’s Been Hacked, Don’t Let it Happen Again
You know the old (and annoying) saying, “fool me once, shame on you. Fool me twice, shame on me.” Don’t be fooled again.
If the source isn’t caught, or if you don’t put proper, ongoing website maintenance in place, you’ll get hacked again. And, with big entities like Google and large hosting providers keeping tabs on your site, hackers aren’t the only ones raising your costs during an attack.
Set up proper website maintenance and support
You’re now armed with the information to avoid devastating damage to your business. Fixing a hack without correcting your website maintenance process with an ongoing website maintenance plan leaves you vulnerable for future attacks.
“If you are not patched, then it is like a big red beacon to the world saying ‘Hey come see if you can hack my site.’ If you are patched, they often don’t bother with you,” Chad explains.
Sure, complete remediation to clean up and restore the database will likely take a few billable hours by a technical expert and a regular website maintenance plan costs $250 a month, but it just takes one hack to realize the value of proper website maintenance and support.