First, I don't know much
about the business relationship, so this is all speculation. But I do see
opportunity for $$, justified (pardon my politics) by fear, uncertainty and
doubt about security. After all, they were hacked, files missing, and down for
over a day. Who knows what else, forensics was not performed, only recovery.
You said you manage the site.
I presume you get paid. They didn't pay you enough to keep current with
software versions. Their bad. But that is tempered by the understanding they had
when they entrusted the site to you, do you 'own' the security? Did you give
them assurances? Or was it overlooked and now a problem.
If you have time (if you
don't, subcontract it), figure out what needs to be done to update the box to
current standards, including the web pages/apps (if you do those, or even if
not) and send them a total estimate. They will 'negotiate', but mostly they
need to understand: _this_must_be_done_ to prevent recurrence. They will pay if
the website draws business to them (read: $$$$). Temper this
suggestion by how important is it to them.
I see money in your future with a serious
reason for doing so [security]. Please include a monthly fee to stay current on
software/apps (15-20% maintenance). You will take care of them better if they
pay as a monthly customer, your relationship will be more important both
ways.
If you are doing it for a
co-worker/friend/family or such, then I wouldn't be so harsh. But for arms
length business arrangements, I'd say cha-ching. And it would be money well
spent (on both sides).
Ron