Website security paradox–somebody finally gave it a name, so now it’s official. The paradox refers to, in particular, cash-strapped small-businesses owners deciding whether to spend money to build an appropriate cybersecure infrastructure, knowing that it will likely fail, and that the company will lose even more money recovering from the cybersecurity incident.

Small businesses are an easy target, suggests Tony Perez, general manager and vice president of GoDaddy’s Security Product Group. In the report Small business website security, Perez references this CNET article and writes, “One in five small- to medium-sized businesses faced a ransomware threat in the last year, costing operators hundreds of millions of dollars. When entrepreneurs contact law enforcement, typically the advice is: Pay it.” (CNET is a sister site of TechRepublic.)

SEE: SMB security pack: Policies to protect your business (Tech Pro Research)

As to the website security paradox, Perez explains:

“Most small-business operators have limited security knowledge and minimal budgets so it leaves them open to attack. But those attacks often cause financial losses.”

So what is the answer: Should you spend money upfront and then likely spend even more money recovering from a cybersecurity incident, or hope for the best and spend what is needed to recover from a cyberattack?

Avoiding cybersecurity spends may create additional issues

The problem is compounded by the fact cybercriminals and hackers know small-business owners are struggling with this and specifically target them. If the digital bad guys are successful, Perez suggests the victims will be facing the following.

Financial loss: According to Perez, of the 1,000 very small businesses polled more than half lost money due to a cybersecurity incident, with one in eight admitting the loss was greater than $5,000.

Damage to reputation: The GoDaddy report mentions that three out of 10 participating and victimized small-business owners said they had to inform customers and clients of the incident, and deal with the ensuing loss of trust by the customer.

Blacklist: A compromised website has a good chance of being blacklisted by search engines or internet-security companies. “If that occurs, website traffic plummets as would-be customers no longer see the site in search results,” explains Perez. “It’s the double whammy of website security. First, the hacker steals, then small-business owners can’t make money because their website is invisible to customers.”

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The chance of getting blacklisted

According to the GoDaddy report, 10% of the websites cleaned up were blacklisted. That means of the 65,477 infected websites the researchers analyzed, 6,500 were on the list. Perez adds, “Search engines such as Google scan vast numbers of domains for malware, SEO spam, and phishing scams. If a site is deemed suspicious it can damage a business by removing the website from search results.”

Adding insult to injury

Perez believes that being blacklisted adds insult to the injury:

“This is where the paradox grows even deeper. Getting flagged and blacklisted for having malware effectively shuts down a small business’s website; not getting flagged when a website has malware leads to greater vulnerability from hackers.”

The issue Perez is referring to is the likelihood cybercriminals will continue to manipulate the compromised website, which in turn means more victimized customers, more financial loss, and more damage to the company’s reputation.

Getting off the blacklist costs

The other side of the paradox is that it will cost money to clean up the infected website and get off the blacklist. “Once malware and other malicious software is removed, a website operator must ensure hackers can’t immediately re-enter through a backdoor or compromised passwords,” writes Perez. “It’s then up to the search engine to give the website a clean bill of cyber health, which can take multiple days.”

What’s a small-business owner to do?

This sounds like all gloom and doom, but it does not have to be. Small business owners need to realize that cybersecurity is not about prevention or eliminating risks, because that isn’t going to happen. “It’s about reducing the risk,” concludes Perez. “It’s understandable that small-business operators handle a lot and it’s hard to make website security a priority. But taking modest steps can make a difference.”

Survey particulars

Researchers at GoDaddy analyzed 65,477 global requests from small-business customers to clean up infected websites from May 2017 through March 2018.

The GoDaddy research team also commissioned the firm Morar to survey 1,012 US small-business operators to understand their activities and perspectives on security. The research, conducted between May 24, 2018, and May 30, 2018, surveyed businesses of five or less employees.