No one wants to have their website hacked — that much goes without saying. There are a number of obvious costs associated with a major website security breach: having to recover your website, reset all your passwords, and notify customers of a potential breach can be time-consuming and costly from a labour standpoint. But having your website hacked can also have additional indirect costs, ones that you may not have considered.
The consequences of losing control of your business website are far-reaching and long-lasting. We’re not saying you should live in fear — but if you know what can happen, then you’re better equipped to protect yourself, and stay one step ahead of hackers. In the world of web security, an ounce of prevention is worth a pound of cure.
You can probably guess some of the direct costs associated with having your website hacked. Foremost in the mind of any business owner is the time and money required to either assign existing staff to the task of restoring the website, or to hire an agency and liaise with them while they perform that work.
The immediate up-front costs of having your website hacked include:
- Your time (and the time of your employees)
- Employee wages for time spent on recovery activities
- The cost of a security audit or emergency recovery from an agency
- The cost for full website remediation services
When your website is hacked, you may not discover exactly what happened until well after the fact. Your first signal that something is wrong might come from an employee who notices an error on the site, or worse, from a customer. An initial security audit from an experienced agency is often necessary to assess the situation. At WordZite, we charge a flat rate for an audit to pinpoint exactly what’s happening, and assess the severity of the threat.
Once we’ve figured out where the problem originates, remediation costs can run you anywhere from $2000 to $5000, depending on the complexity of the issue. Remediation is the process of clearing up the security issue, restoring your site to a clean backup, resetting passwords and logins, and reconfiguring or implementing firewalls. Sometimes the process also involves communicating with third parties such as other software service providers to indicate that your site is safe to work with, or to get your site removed from blacklists. All this work can take days or even weeks.
By contrast, a comprehensive security plan from WordZite, including threat and performance monitoring, starts at just $250 per month. Go to any other agency worth its salt, and you’ll find similar prices.
Besides, we’d much rather just charge you the monthly fee than have to scramble to revive your website in an emergency.
Getting your website fixed after a security breach carries a hefty price tag, but smart business owners always budget for emergencies. The real cost of having your website hacked lies less in the numbers and more in the way it affects your business’ reputation.
Perhaps the most severe cost of having your website hacked is the blow to your reputation. If the security breach is severe and widespread enough that it affects your customers, this obviously reflects poorly on your company and your ability to keep your assets secure. If customers feel you can’t be trusted to keep their information safe, they’ll take their business elsewhere. Those customers might tell their friends to avoid you, as well.
The reputation of your website doesn’t just affect how your customers see you. Your suppliers, including other software providers whose products you use to run your business, may also become reluctant to work with you. Third-party suppliers have their own cybersecurity policies and procedures to follow, and in many cases those policies might forbid them from making deliveries or providing services to your company until the issue is resolved. If your business uses third-party software in its website or operations, you may be at risk of being disconnected from those services until you can prove that the security threat has been resolved. This severe and extreme situation could grind your operations to a complete halt.
If your site is hacked, your domain and/or the IP address for your server may also be added to one of many internet blacklists that are used to monitor and control spam and other malicious activities. This has repercussions that extend beyond just your website. A blacklisted domain may not be able to send and receive emails because the recipient mail servers may reject emails coming from a domain that is seen to be untrustworthy. When this happens, you may not even be able to communicate with your clients and suppliers to let them know you are experiencing a temporary issue. Removing a site from a blacklist is another costly and time-consuming endeavor — and even if you are able to get your name removed from the list, you then have to consider the negative impact on your organic rankings and ad traffic.
Reputation costs go hand-in-hand with opportunity costs. Google employs its own antivirus and malware scanners, so it will find out when a site has been breached. When Google’s crawlers find malware or a harmful script on a website, the search engine will immediately start issuing a big, red “unsafe website” warning to users. This is followed shortly thereafter by a drop in organic rankings and the disabling of any associated ad campaigns running via Google Ads.
If the first thing a new visitor sees when they go to your site is a big warning from Google that your site is “unsafe,” chances are they’re going to immediately click away. This loss is hard to quantify, but if you want to do the math, you can add it up like this:
(average number of inquiries you receive per day) x (the closing rate) x (the average value of a sale) x (the number of days your site remains “unsafe”)
For most of our clients, this adds up to tens of thousands of dollars in lost opportunities.
Exactly how quickly all this happens depends on how frequently Google crawls and reindexes your site. Regardless, if your site drops in search engine rankings, you will get less traffic. Less traffic means fewer leads. Fewer leads mean fewer sales. The same goes for ad traffic which will drop to zero while your campaigns are disabled. And then you are confronted with slow-moving, pedantic correspondences with Google Ads’ compliance department. Believe us when we say that you do not want to get on their radar. It’s a painful process.
We’ve been through this with clients in the past. It‘s no fun. It takes a lot of time and effort, and once our work is completed, a site’s rankings and ad campaigns may never regain their previous level of performance. Needless to say, the long-term opportunity costs can be financially devastating.
Finally, if your business is in a regulated industry or deals with highly sensitive personal information — such as in finance, law, or healthcare — you have regulatory affairs to consider. Many industry regulatory bodies have strict guidelines for cybersecurity and web security compliance. If your website falls victim to a breach, then not only will you be dealing with reputation and opportunity costs, but your business licensing may fall into question. You may lose your license and be forced to resubmit for approval, or you may be forced to undergo an audit of your internal quality system, and potentially spend time overhauling your internal procedures. On top of that, there is federal and provincial legislation surrounding cybersecurity breaches: if customer information was compromised, you could be looking at some very heavy fines.
In summary, the indirect costs of a website security breach can include:
- Existing customers no longer wanting to do business with you
- Loss of potential sales leads
- A drop in search engine rankings and organic traffic
- Your ad campaigns being disabled
- Your domain being blacklisted
- Loss or lapse of regulatory licensing
- Potential federal fines if customers’ personal information was jeopardized
- Loss of integration with necessary third-party plugins or apps
- Loss of brand credibility in a competitive marketplace
All this sounds scary — and it is — but it’s not really that hard to do your part to mitigate the risk. It’s not your job to know all the ins and outs of website security. But as a business owner, you do have a responsibility to ensure that your site, and by extension, your brand, is secure. This means making sure that the people who manage and secure your website know what they’re doing. It’s on you to vet your supplier by asking them all the necessary questions related to WordPress security. If you’re not sure where to start, contacting us is a great first step! WordZite is an experienced agency staffed with highly skilled web experts, and we’re happy to help.