We focus on so many areas of building a business online but seldom do I hear site owners talking about one of the most important aspects: site security. Protecting your digital assets, your customers, your reputation and ultimately your business is vitally important.
Let me start by dispelling some commons myths:
- Your site is not safe just because you keep your FTP info well guarded. Hackers don’t necessarily need a username and password to get into your site.
- SSL (secure socket layer) does not protect your site from hacking. It is only a source of encryption to pass secure data, like credit card numbers. It makes no guarantee as to how data is stored.
- Hosts do not offer adequate protection as part of standard hosting. Hosts have a hard time maintaining security – not because they are incompetent, but because they can’t regulate and control what errors site owners make in loading files and scripts to the server. Site owners make their servers vulnerable. They do the best they can, but there is so much more you can do on your own to protect your site, your business and your revenue.
My goal is not to terrify site owners – but it is to scare them just enough to take action and ensure their security.
My site was hacked 3 times. I lost leads, I lost revenue and I lost a lot of money in cleaning up the mess. I know for a fact that proactive prevention is a lot cheaper than cleaning up after a malicious attack.
I am no security expert, but I have connected with a brilliant one that has been kind enough to share his expertise with me.
So now, let’s get down to it. My interview with Adam Palmer, from SAS Web Security.
Me: Thanks for taking the time to educate my readers on this important topic. Can you explain how you get into this business and tell us exactly what you do.
Adam: My goal is to educate site owners and help them protect themselves. My philosophy is that understanding risk is the first step in mitigating it. What I do sounds a little weird but trust me it works. I ethically hack websites!
<insert Adam’s laughter at my stunned silence>
Adam: What I mean is I try to attack the site (without doing any actual harm) to find all the security flaws and holes that malicious hackers will expose. I do this with the client’s consent and after they’ve been fully informed on my plans. Once I am done with the attack, I provide them with an in-depth summary of all security holes I found. They can give it to their web team to fix or they can choose to hire me to fix it.
Me: Wow, that is really cool. How did you get into that?
Adam: I have spent over 9 years developing applications and working in various web languages and I realized how little the average web site own or application owner really knows about security. I saw the devastating effects of these malicious attacks and realized I had the knowledge to help people and fill what I consider to be a big gap in this industry. I don’t see enough security information being shared with site owners.
Me: What is the one message you want to get across to site owners?
Adam: Honestly? That they are no where near as secure as they think they are. And it’s really true, they invest in so many areas of growing their business but they don’t invest in keeping it secure. More often than not the development team are focused on client satisfaction, and pay no attention to the security implications of their work. The costs to prevent attacks are significantly cheaper than the cost to clean up after an attack. I just want site owners to be aware. They may choose to ingore the information and remain at risk – but at least it’ll be a willful decision and they weren’t uninformed.
Me: Is there anything site owners can tell their web team to ensure they are more secure?
Adam: I outlined it all in my free report. I suggest people download it, read it and share it with their development team. There are 2 levels of proactive prevention. One is to just ensure the developers are practicing safe work on the server and not making mistakes that increase the security threats. The other level is the actual “ethical hack” that I talked about before. That is the best way to get the most thorough security analysis.
Me: What are some of the most common threats site owners face?
Adam: SQL injection is one of the most damaging and most common attacks that exists against web systems. It is an attack directly against a web site as opposed to an attack against the users browsing that site. Cross site scripting or ‘XSS’ is an attack against one or more users browsing a site (as opposed to the server itself). There are so many others, but those are 2 of the most common and damaging.
Me: What does this actually mean though?
Adam: Over 75% of all sites have critical security flaws. By critical we’re talking about the ability for an attacker to download a site’s entire database, modify the database, upload malware on to the site, or attack users that visit the site. This can obviously have devastating consequences.
Me: Wow. What are the best ways to prevent such attacks?
Adam: Ideally, programmers would all be security trained and would write strong and secure code from the start. Unfortunately, that doesn’t always happen. A lot of programmers are either entirely unaware of security considerations, or believe that their code is more secure than it actually is. All site owners get reliable security scanning, if for no other reason than to establish their current level of security. From there, any weaknesses found can be explained and discussed, and a resolution put in place.
After talking to Adam I have a much better understanding of site security and honestly, I am shocked that sites are so vulnerable. I’m also shocked that more people aren’t talking about this. I hope to get the conversation started and help site owners ensure the safety and security of their website (and business). It’s important that I mention, I not receive any compensation for recommending Adam’s services and I have nothing to gain. I spend so much time trying to educate people on SEO and copywriting, I thought I should spend a little time ensuring you are aware of the security risks out there and even more importantly ensuring that you know there are specific things you can do to ensure your site is more secure.