SiteLock Internet Security: Big Threats for Small Business

Protect your Small Business Customers They are a sizable investment 26.9 M 91.8% 61.4% $11.4T Small Business Trends; restating US SBA.gov report Number of U.S. Small Businesses Percent of U.S. Firm Population (in # of Employees) Percent of U.S. Business Revenue Earned by SMB’s One-year U.S. SMB Revenue

Why the SMB Market is at Risk: A closer look Over 60% of data breaches are at companies with <100 employees * Nearly half involved malware injections 98% of ALL applications have holes ** 68% of vulnerabilities found are XSS ** Over 6,000 websites are blacklisted every day *Verizon, US Secret Service Report **HP Security Report

What Website Security Means Be proactive Design and build websites with security in mind Take additional care to “harden” open-source applications Sanitize dynamic content to ensure safety of interaction Identify and repair likely vectors for attacks Code injections Weak or unencrypted login pages and credentials Out-dated applications Employ non-intrusive security practices to identify and remediate potential problems before hacks occur React quickly Detect and clean malware before websites are blacklisted

Business Impacts of Poor or Reactive Security Small business websites can be shut down Business reputation is damaged Revenue can be lost Customer data is at risk Search engine rankings plummet

The Most Common Threats to SMB’s SQL Injections Poor Server Configuration / Authentication (Credential Theft) SQL Injection combined with Malware Malware UK Security Breach Investigations Report, 2010

The Threat/Vulnerability Evolution Cross Site Request Forgery Cross Site Scripting (XSS) Buffer Overflow SQL Injections Remote File Include (RFI) Denial of Service HP Top Cyber Risks Report, Mid-year 2011

Security is a Challenge for SMB’s InformationWeek Analytics Strategic Security Survey, October 2011

Where do SMB’s Turn for Help? Read forums and help websites and fixed it myself Tried several approaches, but site is still compromised Followed security company instructions provided Called a security/IT expert/web developer to sort it out Nothing – site seems OK now Abandoned the whole thing and set up a new site with a new provider Other Compromised Websites: an Owner’s Perspective; StopBadware.org, CommTouch, 2012

Response from Hosting Provider None, never communicated the issue to them Provided assistance at no cost to help fix the compromised site No help provided, or refused to respond Charged additional fees to help fix the compromised site Compromised Websites: an Owner’s Perspective; StopBadware.org, CommTouch, 2012

The Plan to Fight Back Technology - Turn-key - Always on - Business focus, not IT - Secure network - SSL - Firewall Process - Security standards - Strong passwords - File protection - Compliance requirements People - Education & awareness - Test your own site - Update web apps & plug-ins

The Ideal Complete Solution When considering internet security partners/providers, look for: A comprehensive set of security measures designed for prevention or detection. A range of scans that analyzes all web traffic, network and applications for threats. A process design, even the most effective protection cannot stop 100% of attacks. A trial to see if it is easy to use, the most effective toolset is of little use if you can’t figure out how to use it. Consider solutions with a straightforward user interface or dashboard that will keep a user informed on what’s going on. Key take-away: When it comes to website security, prevention is always the best policy.

Thank you Questions & Discussion SiteLock: