On Sunday April 15 I gave Adam Warner's talk on selling Security as a service or add-on at WordCamp San Diego. These are the slides from that presentation.
2. JAMIE
SCHMID• COMMUNITY EVANGELIST @SITELOCK
• FREELANCE DESIGNER AND
DEVELOPER
• PASSIONATE ABOUT WORDPRESS AND
DRUPAL
• CONTENT ENTHUSIAST
• PROUD CAT MOM IN PORTLAND, OR
@JAMIESC
3. WHAT WE’LL COVER TODAY
• Securing your own site first
• Securing your client sites
• Benefits for your business
and your those of your clients
• Communicating security
benefits efficiently
• Including security in the project
scope
• Security best practices
• Security in your maintenance
program
• Maintenance and reporting
options
45. REMEMBER THESE AND
GROW YOUR BUSINESS• Including security in the
project scope
• Security best practices
• Security in your maintenance
program
• Maintenance and reporting
options
• Securing your own site first
• Securing your client sites
• Benefits for your business
and your those of your clients
• Communicating security
benefits efficiently
Hello everyone and thanks for coming to my session. I’d like to start off by getting to know you a bit. By a show of hands:
How many of you are actively building sites for clients?
How many of you are managing those sites on an ongoing basis?
OK, great. I created this talk because I have a passion for helping others succeed in their internet businesses. My hope is that you’ll find some useful tips for growing your business and providing extra value to your clients.
Open Source Manager: actively involved in many open source communities. It’s been mostly WP over the past couple of years.
FooPlugins: This is a free and premium WP plugin business
Security Passion: Because I built a revenue-generating website and lost it all due to a hack.
My goal is to make your job as a web development provider easier while also showing you opportunities for more revenue from your projects.
First I’d like to talk about why securing your own site is a good first step.
Website hack attempts happen all day, every day.
Especially important when YOU are the one providing the website building service.
Successful attack - directly impact your revenue, tarnish your reputation, and degrade customer loyalty.
- Google or browser message saying “this website may be unsafe” or something similar.
I’m going to leave that site immediately. And when that happens, I don’t send you a contact, you don’t have the opportunity to give me a proposal and even worse, I’m probably going to associate your brand with a negative thought. “They build websites but theirs is hacked?”
Script: I’d never recommend something to my client that I haven’t used myself. I mean, I wouldn’t do again. (insert sheepish smile). I’ve failed clients because of not performing proper due diligence on the products and services I was referring them to. I’ve since learned my lesson!
Directly related to protecting your reputation. You have many goals as a web development service provider, but first and foremost should be the goal of protecting your business.
Are you actively implementing basic security best practices on the sites you hand over?
Let’s talk about why securing your clients sites is important to your immediate and long term business.
Client’s form emailing her credit card numbers.
Receiving frantic emails or phone calls from clients that something’s wrong with their site. Inopportune inconvenient times.
Our responsibility as their “technical contact” to ensure that we can fix whatever problem they’re experiencing. Spent an entire weekend trying to determine the problem and a fix in.
Securing your client’s sites BEFORE the hand off will save you time, money and headaches. And even if securing their site is out of your project scope, - responsibility to AT LEAST educate them and urge them to implement basic security
Whether it’s securing client sites proactively, or giving them the education and tools they need to do it themselves, the end result is YOUR PEACE OF MIND.
Educating your clients (and potential clients) about website security is the right thing to do period.
Who’s ultimately responsible for website security? Focusing on security can set yourself apart from the crowd and increase your value and revenue.
• Spreading the importance of security (making the internet a safer place)
◦ making client aware that it is their responsibility
◦ opportunity for service benefits, setting yourself apart from the rest
◦ additional revenue, add-on or maintenance packages
When I said that website security was the right thing to do, I was speaking from a global perspective.
But just like walking through a dark city alone at night, it’s critical that we all become more aware of our surroundings and the potential threats that lurk in the shadows.
Our responsibility as ones who understand how the internet works, to spread as much awareness about security as possible.
The short answer is “all three” but to varying degrees. The long answer is that ultimately, the person responsible for security of a website is that of the website owner. Let’s use an apartment building as an analogy to better understand why that is.
Website Developers: We are the ones creating that apartment building. We’re the construction company. It’s our responsibility to ensure that the website structure is solid and meets all the codes. We need to ensure that there’s no exposed wires and that the walls are supported and strong. In other words, making sure that building doesn’t fall down.
Web Hosts and Website Owners:
The website host is responsible for the security and maintenance of their servers. Like an apartment building superintendent, shared hosting providers are responsible for making sure the building (or the server) is protected and the lobby lock is in working order (global firewalls). The parking lot is safe and secure, etc.
Website Owners: As a website owner, the security and maintenance of your website is your responsibility, just like your individual apartment within an apartment complex would be. Your website is a tenant and we’re expected to lock our own doors and windows to prevent intruders.
Educating your clients from the first phone call or email: set yourself apart.
Quickly position yourself as an expert and become more valuable to your client. Even if you don’t move forward with a proposal, they know where you stand and will be more likely to come back to you.
Additional revenue opportunities for you and your business.
Demanding higher project prices overall
(because you’ve positioned yourself as the go-to and recommended resource) Imagine going from a $1,000 minimum project price to $10,000 or $50,000 minimum.
Value to your client that they can’t get with anyone else and to communicate that value from the very first contact.
Also: residual income
- monthly maintenance plan
- one time Addon services (like a one time security scan, a one time clean)
- affiliate commissions by referring them to the right solution for their needs.
Starts with education.
They tune our or assume they “aren’t technical enough” and make a decision about security options.
Break down website security to most basic questions… easier to understand.
Thus making it simple to communicate its importance to business owners with concepts and terms more familiar to them.
Why would someone want to hack a website anyway? Defacement - leaving a dumb mark. Cyberattacker might replace your main page with a message of their own.
BIGGEST reason: financial gain.
As serious as Equifax (with data on 143 million individuals stolen),
As mundane as the hack that redirects your site to who knows where using the attackers affiliate ID.
Hackers don’t discriminate between the types of sites they attack.
- Simple 5 page brochure-type site, it’s still an attractive target
can be used as an “open door” for that attacker to spread their malware across -
sites on the same shared hosting server and then to visitors of all those sites they compromise.
When we think of hackers, the stereotype is that it’s some angsty anti-social person — overwhelming majority of website attacks and successful hacks are performed by automated bots. Or in other words, MALicious softWARE.
How? - Vulnerabilities found at various access points. Access points can include outdated software, passwords and newly discovered vulnerabilities in up-to-date software.
Unfortunately it’s not a question of if or when when a website will experience an attack. Hacking attempts happen all day, every day. As we recently published in our Quarterly Security Report, websites experience an average of 59 attacks per day, which is more than 21,500 per year.
It doesn't show every attack that is going on in the world as that would be impossible, given the sheer number of them happening at any one time, and in any case, your browser wouldn't be able to cope with it and would run out of memory. But what the map does show is a sample of real-time attacks on Norse's own network infrastructure.
The cyber attack map is basically a visual representation of cyber attacks on 8 million 'honey pots' scattered around the world, which the has firm purposely set up in attempt to lure hackers and more commonly, automated tools that attack computer networks and build botnets to carry out further attacks on their behalf.
After you’ve communicated the Why, Who, How and When, it’s time to either start building security into your project proposals and cost, or to continue educating your clients. Or both really :)
At the core of a 360 degree website security plan, are these 5 best practices. And the good news is that they’re not at all hard to implement!
Backing up your website files and database is the first and most important step. If you do nothing else, do this. And you should be performing regular backups of your website too…weekly and/or monthly at least.
Doing this ensure that if something does go wrong, you’ll have “something” to use to restore your site if all else fails.
Keeping the software that runs your site up-to-date is critical. This includes Joomla! core and extensions… (template, module (widget), component(shopping cart system), plugin(edit core functionality) …and any other software running on your web hosting account. Software updates typically include security patches, and many times new features, bug fixes and compatibility updates – all are good reasons to keep up to date with the latest changes.
Reminder: When you receive that email letting you know your site has an update available, run a backup before and after updating ANY software
I know. I know. They’re hard to come up with and even harder to remember! But if you choose one really hard password and just reuse it everywhere, you’ll be fine. I’M KIDDING! Using unique passwords with every website, social account, ANY online account is just as critical (or even more so)! If you’re wondering why, go ahead and load that url, enter a password you reuse for any of your accounts, and see what the result is. Anyone have a result?
To make creating strong passwords and using separate strong passwords for your logins, I highly recommend using some type of password manager. LastPass, 1Password, KeyPass or others. But guess what? You still need to come up with and memorize a strong password for your password manager login. At least it’s just one and not 4 dozen!
Two types of firewalls. Network Firewalls and Web Application Firewalls. They are both hardware solutions and software solutions.
Your host has a network firewall. These are used to identify and block malicious scripts between individual web servers within their network. Again, protecting the “apartment complex”.
Web Application Firewalls are add-on services that the website owner must employ. Again these are hardware/software solutions and their intent is to block malicious scripts and traffic BEFORE it even reaches your web server and attempts to compromise your site. You’d be surprised at the volume of traffic to a typical website that comes from automated bots and scripts. Not only does blocking this traffic make your website safer, it also saves load time and bandwidth on your web hosting account.
If Google detects malware on your site, your visitors will be greeted with an alarming error message, and your site will be removed from search results until it has been cleaned and re-crawled by Google. All too often, this is how website owners discover that their site has malware, and by then, their website has already been infected for days. As you might guess, blacklisting can have a devastating effect on a website’s revenue and reputation.
An automated website scanner can monitor your website for potential threats on a daily basis, working in the background while you tend to your business. Some scanners can even automatically remove known malware.
Just like discussing security during the first client contact, including the importance and requirement for security best practices within the project scope can benefit your reputation and that of your business.
Include focus on security along every step in the process
professional and a serious business owner.
Willing (or even require) this focus on security as a way to ensure the success of site/business
This continues to build trust for your company & brand.
Client knows you’re committed to not only building beautiful and functional site, but also to their own success,
more apt to consider you a partner in their businesses.
And when you’re considered a trusted partner, you have the opportunity to earn more money.
Also ManageWP, SiteLock
Focusing on security from the first contact and then again in your project scope, sets you up to demand a higher price for the initial build.
Sets you up to offer ongoing maintenance plans / add-on services.
Do your maintenance plans include just “backups and updates”?
Anyone including security?
You can easily roll in security under the umbrella of “backups and updates” or call out specific levels of security.
How many of you are offering maintenance plans to your clients? Do these plans include just “backups and updates”?
How many of you are including security as part of that plan?
Great. And if you’re not, you can easily roll in security under the umbrella of “backups and updates” or call out specific levels of security.
But what happens when a client’s budget simply doesn’t allow for a recurring maintenance plan? You can still offer security as an Addon service in a few ways.
Some examples include:
One time malware clean up
Ongoing monitoring/scanning
Web Application Firewall
Or even just the setup of these services
Of course, if you are offering monthly maintenance or security services, you’ll want to make sure you still have time in your day to do what you do and not get mired down in the nitty gritty details of either. You’ll also want to make sure that the services you’re providing have a cost benefit for you and that you’re not simply breaking even. In short, you’ll want to automate as much as possible.