What is SEO security?
SEO security is the use of SEO metrics to identify flaws in a site’s security, to act to solve those issues, and to monitor site activity with security in mind. Good SEO practitioners follow security news closely and should increase their clients’ site security by a significant factor. They’re best-placed to notice unusual activity on clients’ sites, and they can also act to rectify problems relating to brand management should a security lapse occur.
Donald Trump, Krishna, and cybersecurity
SEO Security – If you’re in SEO and you’re not doing security, see you in my rear-view mirror
This post is adapted from my presentation on the subject of ‘SEO and cybersecurity’ at UnGagged London, on June 15, 2017.
This post is called ‘Donald Trump, Krishna, and cybersecurity for reasons that will soon be clear.
First up, we should all remember this: everyone in SEO should love Donald Trump because he’s giving us all big love. With Russian hacks and WikiLeaks playing out over the next year on Capitol Hill, Trump is making sure cybersecurity stays front and center, right there in the public imagination. And that’s creating a very interesting environment for us at this moment because we are problem-solvers. What we want to do is make everything straight, healthy, above-board, Google-friendly, and preferably SERPs 1. And these days, we should also want to make our clients’ data and sites secure and virus-free. With Trump around, the problem of cybersecurity is right there in everyone’s face.
Another person we should love right now is Jean-Claude Juncker, president of the European Commission. He’s my favorite guy in the world at the moment for four little reasons that I’ll explain in a minute.
In this post we’re going to tour the SEO and security environment, check out the landscape and maybe see some wildlife. I’m going to make the case that if you’re in SEO and you’re not getting heavily into cybersecurity (and I mean big time), those of us who are will see you later. In our rear-view mirrors.
On our way we’ll also meet Krishna, the Hindu deity.
We all know that SEO has had some ups and downs. I’ve been in it since 2006 and can give you a blow-by-blow account. But right now, whoever is on the ball in this industry can look forward to very productive times. We can also feel good about being socially useful, which is a bonus.
That’s because SEO is the only sector in which all the current security issues affecting ecommerce (or any company with a Web presence) can be dealt with alongside a client’s organic rankings, under one roof. Here at OTT SEO we’re investing in security analysis and provision in a big way, in short – SEO Security.
Why should SEO providers get into infosec?
If you’re reading this and you’re In SEO, you might say ‘Yes, but do I really need to do that?’ The data security industry, which practitioners call ‘infosec’, has had an easy competitive ride up to now, and I see SEO providers moving in to the cybersecurity sector in the very near future. We’re already in infosec, because we like to stay ahead of the game. And don’t forget, bad security is a major risk to SERPs.
But there’s a problem. Some SEO providers see the word cybersecurity, yell ‘Incoming!’, and dive for cover. They get scared. At OTT SEO we don’t do that. Right now, our philosophy is to head straight for this action. We’re integrating infosec wholly into our operation.
Think about it. There are optimizers and there are infosec companies; why not simply do both? The synergies are clear. Good SEO requires constant monitoring; so does infosec. As a company with Web presence, you can’t rely on your hosting service or overworked IT team to stay across it all, either.
Web host quality varies massively, with many providers seeing security as a secondary issue. An SME’s in-house IT team, however professional, can’t always stay across the light-speed developments that characterize the tech sector. Even the biggest companies sometimes drop the ball.
Hacks occur every day. Anyone been to Kmart recently? A recent hack of their systems resulted in the theft of thousands of customers’ credit card details. Poor host security means that often a business’s only safeguard is when Google spots an issue and alerts your site visitors. But Google picks up less than half of site hacks, so without even knowing it, you could find yourself downranked or even off line before you know what’s happened.
User experience and website failure
Google isn’t the only game in town, though. Users are even more unforgiving. It´s why good websites are designed with UX in mind.
Responsiveness and reliability are at the top of the priority list when we are doing SEO. People expect to browse websites on any device, with all pages up and available at all times.
We all know how badly designed websites suffer from poor conversion and high bounce rates.
Visitors prefer clean and intuitive websites, with engaging information and clear calls to action.
Moreover, users like to think all sites manage their personal data responsibly. They value their privacy and are concerned about how websites use the data they collect. However, they often don’t know where their data ends up; after all, who actually reads user agreements? We all just scroll to the bottom and click ‘yes’. All that’s going to change, though, and soon.
UX is king on Google. But hacks, DDoS attacks, ransomware, and other skullduggery can seriously depress site ranking and even take ecommerce sites off line. This can have a terminal impact on a company’s income by halting traffic and wrecking user trust—a commodity more precious than any other on the Web.
Predators on the Savannah: threats to a website
So in the world of ecommerce and Web data we can see a lot of predators skulking in the elephant grass, predators that could take down a website, or even worse. They all have a direct negative impact on SERPs, as Google is really nit-picky when its bots encounter 503 or 404 errors.
The causes for errors of this type can range from temporary server failure to bad redirection practices or a direct cyber-attack. However, the outcome is always the same: a temporary or permanent loss of ranking.
The Effects of Hacking
Wordfence, a WordPress security plug-in provider, surveyed the webmasters of sites which had suffered a hack. Only 46% of those who knew their website had been hacked were flagged by Google. These stats don’t include data for those who never even find out their sites have been compromised, and as we all know, that figure is higher than zero. Roughly half of those who do discover they’ve been hacked find out only after Google slaps them and after their rankings and revenue start heading south.
Many website owners don’t know they’ve been hacked unless they’re actively looking. What´s even worse is that if you do get flagged, Google’s harsh penalties can eliminate up to 95% of your traffic. I mean, who wants to click through to a site if Chrome is warning you about malware in a pop-up?
Close to 10.000 sites get blacklisted every day, and getting off that list is really costly. We are not just talking about repair costs and reputation damage control, which could mean thousands of dollars (or in AOL’s case, considerably more than that).
Last year, Cybersecurity Ventures estimated that hacks will cost more than $6tn by 2021.
An earier report by Juniper Research calculated that the cost of data breaches to the US healthcare industry alone is well over $5bn annually.
And losses from unauthorized internet use by employees in the US are now running at $40bn a year, the same as the GDP of Estonia. That adds up to a lot of money we can save clients, as long as we’re handling their site security well.
The lost revenues from site downtime can reach astronomical figures when high ecommerce volumes come to a dead halt because of a hack. Companies then have to factor in the cost of SEO recovery, and we all know how expensive it can be for clients to have their site pulled out of oblivion after a major data breach.
When word about a security breach spreads, and spread it does thanks to the efforts of security bloggers such as Brian Krebs, the website involved loses credibility and a PR disaster ensues. This scenario is a lot more difficult to deal with than a major downranking in organic SERPs, as bad publicity can trash a website’s traffic figures in days.
Just to add to the pain, companies who fall victim to hackers lose the confidence of their customers and their partners. Recovery is so difficult that more than 60% of SME victims go out of business in less than 6 months.
It’s not all bad news, though. Hack victims who react quickly can remove the malicious code from their website before it harms their ranking and reputation.
Keeping a watchful eye on site traffic and investigating anomalies can help website owners save thousands of dollars.
But it’s not as easy as it sounds.
Where should SME defense start?
SME infosec should start with server owners and hosting companies, who are in the best position to monitor website and server activity thoroughly and constantly. However, they rarely devote resources to preventing or countering hacks.
Despite the fact that server owners are well placed to notice and fight off cyber-attacks, many of them can’t be bothered. It’s not their fault. The margins are razor-thin, and with hosting companies charging as little as $4 a month for security features, they lack real incentives to keep their eyes open on behalf of their clients.
Who are you gonna call?
Who can come to our clients’ rescue? Well, if you want something done properly, you have to do it yourself.
At OTT SEO, we’ve studied the market thoroughly, and our conclusions are clear. Simply put, those who are serious about SEO Security and website maintenance can fill the gaping hole in the market for good SME infosec, and reap the benefits from doing so.
We’ve been guaranteeing protection and fast action against cyber-attacks for a while and so far have increased our revenue significantly.
Mark my words:
“Increasing our threat defense capabilities by stepping into the security field will be key to staying ahead of our competitors next year”
For example, with millions of websites migrating to HTTPS after the NSA scandals, some clever SEOs have been generating income with the transition.
Let´s face it. This was an obvious stream of revenue for those interested in ranking because it dovetails so well with what we do already. Google is known to favor certified websites, and even mobile platforms have HTTPS as a prerequisite in some instances. Certifying your client’s sites is just part of maximizing SERPs. To be good at what we do we have to work every angle. Everyone in the SEO business has Google’s priorities engraved on their hearts: UX and security. HTTPS certification should always be part of the SEO process.
Many businesses, and especially SMEs, are finding the transit to HTTPS troublesome. The complicated initial setup is seen as a major obstacle. Wise SEO providers have efficient teams to deal with this, and charge a sensible fee for the service as part of any SEO campaign.
Will users be willing to invest in cybersecurity?
You’d think this question was a no-brainer, but it’s a bigger issue than it first appears. Incredibly, some clients actually tell you that their website is too unimportant to even consider putting up some basic defenses. You have to stop them right there.
There is something they must remember.
Whether they realize it or not, clients who come to us for SEO services are in the information industry. They don’t just want to close a sale, they want visitors and all the information related to them. This means they’re collecting full names, email addresses, employer details, telephone numbers, financial data, and even browsing data.
This information is like the British crown jewels. It’s ‘worth a few bob’, as the English say. And it’s everywhere, now that the Internet of Things is growing rapidly. We’re in a world where you can hack a washing machine. The ’big data’ industry reports income of more than 100 billion dollars annually and will be this century’s fastest-growing industry. That’s a lot of data to protect.
Some of our clients are in the business of selling leads. Well, they surely don’t want a hacker to get a hold of their precious database.
Or maybe we get hired by a non-profit organization that funnels donations to various charities around the world. They would hate to see their servers suddenly encrypted and locked, with a ransom demand where their landing page should be.
Our clients will always have something important to defend, and it is only logical to provide security measures that also work alongside other SEO methods.
We are in the business of making sure our clients shine in their specific niches. And security is one of many aspects they can leverage in the marketplace.
Google values those who offer that extra protection, but that is not the only argument one should wield when presenting a holistic approach to SEO services.
There are lots of unscrupulous individuals who want access to your secret stash of information. They might want to spam your clients, use their information to commit fraud, or just infect their personal devices to continuously steal sensitive financial data.
In order to prevent a possible security breach, we must understand what our attackers want, and what may be their most cost-effective method to obtain it.
What do Cybercriminals Want?
In short: Most of them want money.
Okay, some malicious actors in the marketplace are kids that like to mess with a website just for the hell of it.
Many in the SEO Security or cybersecurity industry started as hackers. We know that sometimes a website gets defaced or attacked by a bunch of upstarts who just want to show off their newly acquired skills. We hope they join the light side soon as we did.
However, others make a living out of giving us all a hard time. The only limit to their criminality is the capacity of the human imagination. Here are just a few of the reasons hackers hack for money:
They want to
- Get a site banned or demoted in rankings so a competitor makes the sale
- Steal your customer’s information
- Steal your content
- Change your content or data
- Change the topics your webpage ranks for
- Hurt your reputation or your products’ reputation
- Hurt you economically by disrupting your ad revenue, or squander your ad budget
- Disrupt your operations
- Confuse your visitors by blurring the line between products and services
- Bully or harass you and then ask for ransom
These guys always find a way to abuse the system.
From launching massive 1Tbps traffic DDoS attacks against hosting providers, to the alleged Pentagon hack of North Korean missiles this April and the infamous Stuxnet takedown of Iranian nuclear fuel centrifuges a few years back, cyber-attacks have become a common sight. And did someone mention Hillary Clinton’s emails and FSB sub-contractors?
What´s worse, the frequency and scale of cyberattacks is on the rise. IBM´s CEO and chairman Ginni Rometty says ‘cybercrime is the greatest threat to every company in the world’, and she’s as good a horse’s mouth as anyone, right?
Hackers’ main targets are SMEs with less than 250 employees. It seems counterintuitive (why not go for bigger companies?) but it’s actually very logical. Large businesses tend to invest more in cybersecurity and many train their employees in cyber hygiene, making them harder to penetrate.
Take one instance. Back in 2011 then vice-premier Xi Jinping was among a 60-strong delegation from the People’s Republic of China that visited Pelamis Wave Power near Edinburgh. The company was very proud as theirs was the only business being visited outside England. A few weeks later there was a mysterious break-in at the company’s design HQ. Five laptops were taken, but nothing else. Fast forward a couple of years, and the Chinese unveiled their new ‘Haiphong 1’ wave machine, eerily similar to the Pelamis prototype. If they can’t hack you, the Chinese will beg, borrow, burgle, and steal your sensitive commercial information if it happens to be high on their priority list. And when it comes to China’s agenda, green energy is up there with ‘long live the Chinese Communist Party’; right at the top.
Infosec companies who know what they’re doing test their clients’ physical security too. I’m guessing Pelamis, a very small innovation company, had secured their data from hacking but they forgot just how highly motivated state actors can be when it comes to sensitive commercial material.
Ironically, Pelamis is now out of business. But Haiphong 1 is still in development in China.
Despite this, many of our clients feel that the kind of ramped-up measures big companies indulge in are overkill. They’re wrong.
It is our job to show them how risky the online world has become in the last few years and how likely they are to get targeted by a hacker with a laptop. Or some Chinese foreign security service operator with a lock pick.
The first thing we need to show them is the various ways hackers are attacking their victims.
How do hackers get what they want?
There is more than one way to break in to a company’s systems.
There are several types of cyberattacks and they all look for something specific.
This type of attack has become increasingly common. A hacker or organization penetrates a company’s database, encrypts all the vital information necessary for it to run, and then demands a payment for a decryption key. Last year, this was the most common type of attack and one that is going to be on the rise for years to come.
Hackers know that small businesses can’t afford to shut shop for a day or two while things get sorted out. They have also found the optimal tipping point between profitability and a victim´s tolerance. The amounts they ask for letting companies regain access to vital data are low enough to make paying the ransom attractive and seeking justice a fool’s errand. Ransoms can range from a few hundred dollars to several thousand, depending on the victim. Ransomware is so difficult and costly to deal with even law enforcers advise companies to pay up. Two thirds of victims of this crime end up giving in to hackers’ demands.
Advanced persistent threat
Brute force attacks and malware are easily detected and firms can deploy countermeasures once they detect a breach. This can leave hackers holding only a fraction of the data they wanted to extract. As with any fluid market, a gap has opened up that operatives have filled with APTs: Advanced Persistent Threats.
This kind of attack is not a simple smash-and-grab of your company’s money or customer information. The goal is for hackers to get into your company’s network and stay there, extracting key data around the clock. This is the best way to gain access to valuable intellectual property, contracts, future projects, and even sensitive political information for further exploitation.
The attack starts when someone inside an organization grants access to an unauthorized person or piece of malware. The intruder then stealthily stays inside and establishes back doors to ensure permanent access.
Although this kind of attack has been traditionally committed against government agencies and large companies, recent attacks have targeted innovative small and medium businesses, and it’s a frequently used tool in commercial espionage. Companies in the US, including those in the defense sector, have lost tens of billions of dollars’ worth of sensitive information.
Distributed denial of service
This is what cyber-brute force looks like. A DDoS is the use of an overwhelming quantity of traffic directed to a web server in order to slow it down or induce it to crash. It does not require strong hacking skills, just a vast network of bots or zombie machines that start flooding the targeted server.
Hacker organizations with sufficiently fearsome reputations use this as leverage to ask businesses for “protection payments”. They also put their services out to hire. Even otherwise legitimate companies wanting to cripple the competition can rent a botnet in 15-minute increments.
Well-known tech security blogger Brian Krebs’s site was taken down last year by hackers who didn’t like him poking around in their corners of the Dark Web.
Everyone knows that Google hates it when a site is down. We’ve even come across cases where DDoS attacks have been timed to coincide with a Googlebot site crawl. This is done by shady competitors who want our clients to rank lower and don’t care how they do it. This is devastating and very hard to detect as the attacks only last minutes.
This year 1.5 Million WordPress sites fell victim to a huge hack.
Victims and visitors see a site’s content modified or totally vandalized.
This can be done in various ways including by SQL injection, cross-site scripting, or exploiting unpatched operating systems.
Again, this can be a very severe body blow for SMEs in particular, as defacement attacks generate a lot of publicity and ecommerce customers run for the hills whenever they get the sense that a site can’t protect itself, let alone its customers.
Four little words: General Data Protection Regulation
Okay, so the new HTTPS protocol from Google is rightly gaining traction as the standard. If your site does not include the magic ‘S’, you’re downranked. However, the next big game in town is already the EU’s GDPR (General Data Protection Regulation, those four little words), which was enacted last year and will be enforceable from May 2018. That’s right, less than a year away. A good deal has been written about compliance with these regulations, and there’s a presentation about it at this very event, but here are just two facts that should have you sitting up and paying attention:
- GDPR applies to any company which handles the personal information of an EU citizen. Said company does not have to provide a financial or paid-for service to be included in this category, and does not have to be located in the EU to be liable to sanctions. Nor does said company’s server or host.
- Top fine for breach of regulations is four per cent of any company’s annual turnover. Are you feeling lucky? You want to chance your arm and take that hit? Didn’t think so.
- Relevant personnel (including users whose data you hold) should be notified within 72 hours of discovering a breach or hack.
And yes, that’s three facts, just to hammer home the point that GDPR is as comprehensive as we’ve all come to expect from the Commission. You don’t have to get into the small print to discover all this. At 260 pages, the small print is as brief as the English summer compared to most EU regulation. But remember this: any one of those 260 pages could bite you in the ass.
Who’s that, I hear you ask. That’s Vishvarupa, the multi-armed form Krishna takes on in the Hindu scriptures. We should, and I mean we as SEOs and marketers, become more like the Vish. At OTTSEO we’ve added a few infosec arms so we can provide clients with a full-spectrum service. We’ve got extra heads working on it, too. When it comes to rankings, this isn’t the Middle East. The more arms the better.
Are SEOs doing enough?
Who should protect our clients? Like I said, if you want something doing well, do it yourself, and that’s what we’re doing.
The obvious answer would be to leave it to IT departments, server hosts and security firms. But all three options have their drawbacks.
Not all businesses can afford to hire IT specialists. In fact, most of them believe it to be unnecessary.
Server hosts need to stay competitive, so they try to keep costs down and accessible for everyone. They charge as little as 4$ a month for basic protection. It is very hard to find someone who would be your watchdog for a Big Mac a day.
So here’s your takeaway: get yourselves some extra arms, and a few extra heads too, while you’re at it. Like Vishvarupa.
How can SEOs get into data security?
So how can you start generating profits right away in SEOsec?
Infosec experts are charging $10-25k dollars just to audit a site. That´s money that should be going into our pockets, because we don’t just have one-night stands with our clients, we love them long time. It might seem pricey for a small business, but it could save your clients tens of thousands of dollars in the long run. Just make sure you let them know the potential costs of data breaches and ransomware.
You could work out a deal with a hosting company and then offer security checks. Any Class A SEO Security operation with the right personnel should do a hell of a better job at taking care of clients’ cybersecurity than infosec providers. Why? Because we’ve got eyes on at all times, monitoring and researching SERPs movements, and we’re best-place to spot anomalies and take action fast, often before an infosec provider can even spot a problem.
Never offer one product. Showcase a regular package and then offer sturdy website design or upgrades for a solid built-in security setup—at a premium.
You could even work a deal out with a firewall provider and relabel it under your brand.
Read the GDPR and get on the case. Hire hackers. I think SEO providers should get a good chunk of the $170bn dollars a year Forbes magazine reckons infosec will be worth by the end of the decade. And if there’s any justice in this world, We’ll have the lot!