While large enterprises have unlimited budgets to deal with cyber attacks, SMBs, who are the targets of almost half of the attacks, lack the resources to defend themselves. That’s where SiteLock comes into focus, providing affordable, powerful cybersecurity software solutions, designed for small to midsize businesses. In this interview, SiteLock CEO Neill Feather discusses the threats that non-protected websites impose on SMBs, and offers some useful advice on how to get your business prepared for the challenges ahead.
Please describe the story behind SiteLock. What sparked the idea, and how has it evolved so far?
We started Sitelock back in 2008. At the time it felt like there were options for security for large businesses, but very little available for small companies, and they were kind of left out there. So we wanted to be able to create something that would give small businesses the means to protect themselves. We wanted to build products that were easy to understand, affordable, and really address the specific needs of small businesses. A lot of them are not necessarily building big data centers and things like that, so some of the security products that enterprises use are less applicable to small businesses. So we wanted to build solutions specifically for them.
We spent the first several years building products to help protect small business websites. We had products that identified and removed malware automatically, and we’re still the only ones who do that automatically. We also can identify and patch vulnerabilities in websites automatically; and then we offer products to help block attacks against websites, like a web application firewall.
Lately, we’ve also been expanding our offerings outside of just protecting websites. One thing that we offer now is a VPN, so people can work remotely in a secure manner.
Two weeks ago, we launched a security awareness training product, which has been really well received. Especially at this time, where so many people are working from home for the first time, they really need some help in understanding how to protect themselves in a world that is technology-based.
Those are some areas where we expanded recently. We also launched a website backup product about two months ago and we’re expanding this operation as well. What we really want to be able to do is protect small businesses and be their trusted security advisor across their business. And so when we think about doing that it means reviewing the sources of technical compromises. For many SMBs, this has been the employees. So how do we protect those employees? through VPN and fast remote access as well as security awareness training. We continue to expand those offerings to help small businesses protect themselves.
Here’s a preview of the SiteLock dashboard:
What are the current threats that SMBs running a website should be aware of?
I think a lot of small businesses have built very strong relationships with their customers and that’s why people like working with them; because they get that connection that you might not get with a large corporation. And so the foundation of that relationship is trust that the small business has established with their customers over time.
Working with SMBs, one of the areas where we see damage happen is when a business website gets compromised, exposing their customers’ data to malicious actors who, in turn, use that data for spam campaigns, stealing passwords or whatever they are after. That can really damage the trust between a business and its customers. Especially for small businesses that can be very difficult to recover from, because once someone has experienced a breach, it definitely damages the trust and they are pretty unlikely to come back. Research shows that over half of people won’t go back and conduct business with someone who’s lost their information or have suffered a breach. I think that’s even more impactful for small businesses because there are so many options out there. If Target suffers a breach, everybody will worry about it for a little bit and then still go back to Target because there’s one on every corner. But it may not be the same for small businesses where there are lots of alternative options.
Some security breaches are so sophisticated, they remain undetected for years. What are the best ways to find out if a website or app has been hacked?
I think a lot of small business owners are not even looking for breaches, so a lot of that can go on and they may not know about it. So the first thing we would say is to make sure you’re scanning your platform and you know what’s supposed to be out there. Obviously we have products that help with that. You could also go look at it yourself and try to find out. If you don’t have the technical expertise that can be tricky, but the products are pretty affordable so I would say that’s probably the best place to start.
The other thing that we recommend people do is really kind of do an inventory, maybe using a website designer or a website developer to help you with some of the technical aspects. Have that person go through it every few months and make sure that they know what’s running on the site.
So often, things get compromised when there’s a software running that no one is aware of. So maybe they installed an SEO plugin two years ago, but they forgot they had it and they never updated it. It has some vulnerability and people sneak in that way. So knowing what’s running and then getting rid of stuff that you don’t need anymore is really important, it can really help limit your exposure.
I think the other thing is really being thoughtful about what data you’re collecting from customers. Ask yourself whether you really need that data. If the answer is yes, do you need it in your website database, or is there somewhere less publicly available that you might be able to store that information. Limiting the amount of data you’re collecting from customers to what you really need. It can be tempting to add additional fields to a data collection form, thinking it might come in handy at some point down the line. We really encourage people to go the opposite way and try to be very conscientious about the amount of data they collect and store. If you don’t need something anymore, it’s okay to get rid of it. Because the more data you collect the more there is to expose.
How has COVID-19 affected your business and industry?
We have so many small business customers and for some of them, this has been a really hard time. What we try to do is help them out however we can, whether that be financially or with product service assistance or even just guidance in terms of what to do and how to work remotely. We’ve also given away a lot of products to help small businesses. We’re offering our VPN service and our security awareness training for free through the crisis, to help small businesses adjust to this new setting. So that’s been the biggest impact.
From an industry perspective, what’s been interesting to me is just how for security for software companies in particular, the move to remote working has been universal and I would say reasonably successful. I think there was a lot of fear. We were worried about whether we’d be able to do our work remotely and we expected many challenges, but it’s actually been pretty seamless, and I think it really makes you think about the opportunities that remote work introduces versus in-person work and how you can start to balance that a little bit differently, especially in software companies that are so tech-enabled anyway. I’ve actually changed my opinion on this because when the crisis started, I was very much in that mindset that everybody should be together. I’m a social person and I like to hang out with people at the office, but there are ways to do that remotely too. So we’ve really learned a lot as an organization through this time.
Which trends and technologies do you expect to see more of in the coming years?
I think that remote working and remote education are going to change dramatically over the coming months and years.
From a security perspective, this has really reminded me about the creativity in cybercrime, and how quickly these folks adapt to the changing landscape, especially around the COVID crisis and working from home scenarios. We have seen more phishing attempts in the last two months than the entire year. In fact, I’ve never seen so much phishing going on at the same time. That activity is really accelerated. It’s been a good reminder that cybercrime never stops, it just keeps evolving, so it’s really important to stay ahead and continue to make sure that people are educated on the latest and are ready to respond.
Interestingly, one of the things that many of our customers are realizing now is that they need their employees to be their first line of defense, and how important it is that those folks are aware of the potential threats and are aware of how to deal with and respond to them. So, if you get an email that looks fishy, what do you do about it? what happens if you accidentally click it? What are you supposed to do next? all those steps that maybe were easy when you were sitting in an office next to your IT guy, but now that you’re out and everybody’s remote, how do you deal with those things and make sure that those employees really are your first line of defense.