Views on Website and Web Application Cybersecurity From Neill Feather, President, SiteLock

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

As cybercriminals are constantly innovating new methods of cyberattacks against websites and Web applications, it is essential for businesses to train employees to practice digital hygiene and maintain software updates.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Neill Feather, president of SiteLock, on how to protect websites from cyberattacks and the implications of the increasing use of applications and connected devices.

Bloomberg BNA:

What are you seeing as the most significant threats and methods of cyberattacks against websites and what kinds of solutions are available?

Neill Feather:

Cybercriminals are constantly innovating new ways to compromise websites and Web applications. That’s why SiteLock’s Research and Security Concierge, or SECCON Teams, are constantly looking at the newest threats to protect our clients and mitigate risk. We scan and protect over eight million customer websites each day. This gives us an extraordinary amount of data to analyze in order to identify the latest threats and malware patterns.

Most recently, we continue to see a rise in automated attack traffic. These attacks tend to be aimed at popular applications, such as WordPress or Joomla! sites. While media coverage tends to focus on the large-scale compromises, we see cybercriminals are more frequently and aggressively targeting less well-known websites to grab the so-called “low hanging fruit” and get access to business information, computing resources and visitor traffic.

One specific example is malware planted on the website in the form of ransomware where sites are taken “hostage” until some sort of ransom is paid. Another common threat includes malware that steals traffic or visitor information by diverting viewers to a nefarious location controlled by criminals. There are a host of threats out there and that’s why it’s important for companies to have a security plan that includes holistic monitoring. At SiteLock, we pride ourselves on the ability to find and fix threats the minute they hit, prevent future attacks, accelerate website performance and meet Payment Card Industry Data Security Standard and other compliance standards for businesses of all sizes.

Bloomberg BNA:

Industry professionals often discuss practicing digital hygiene to prevent cybersecurity breaches. What are some of the examples of digital hygiene in the context of protecting a company’s website?


While we see great focus on network and endpoint protection, websites are often neglected. Business owners wouldn’t close their shop without locking the door, so why leave a website unprotected?

As with any security risk, prevention is the smartest strategy. For businesses, it starts with employees. Recent studies show non-malicious employee error is a leading cause of data breaches today. Training employees is critical to ensuring a website is protected. Best practices include making sure employees are using strong passwords and changing them regularly and instituting two-factor authentication in the case an employee password is stolen.

Another digital hygiene example is maintaining software updates for any application used on your website—plugins, themes, platform installations and third-party tools. Also, be sure to remove any unused code or software as it provides an easy entry point.

When security updates are released, it is important to upgrade quickly. This can be cumbersome and requires that up-to-date inventories of applications are maintained over time. One way to help manage this is to leverage solutions such as a Web application firewall which can be used to secure your website against attacks on outdated applications while giving information technology departments breathing room to update these applications after thorough functionality testing. To provide even better protection, businesses can use products that remove malware automatically.

Using these services together will give Web applications the same level of protection your desktop PC and laptop have had for years, preventing security issues and cleaning up any unwanted intrusions. 
Bloomberg BNA:

Websites are quickly being replaced with applications. What are some of the differences between protecting websites and applications?


As apps become more popular and websites and Web applications continue to evolve, there is increasing convergence between what is offered in the mobile and native Web space. This opens up additional entry points for attacks. In fact, 80 percent of attacks today are aimed at Web applications so it’s important for businesses to have security in place to protect both. SiteLock’s research with faculty from the Wharton School of Business found that a website’s complexity is a key indicator of the likelihood of compromise. Our research shows that websites with a higher number of interactive features are 12 times more likely to be hacked.

The use of Web applications is only going to increase in the years ahead because visitors now expect the enhanced user experience apps provide. Website applications like videos, customer product reviews, polls and social media tools each deliver a small piece of source code that executes in the browser. Because this source code is frequently overlooked from a security standpoint and left unprotected, it can leave a business vulnerable to a crippling attack. Businesses should ensure that the code of these applications is frequently scanned and reviewed for weaknesses or vulnerabilities. 
Bloomberg BNA:

What are the pros/cons of this transition to apps in the context of protecting against cybersecurity breaches?


More than ever before, Web users expect increasingly engaging content from brands and organizations. The use of web applications allows companies to create a more unique user experience, helping build brand loyalty. Our research with the Wharton School of Business shows that as these sites are updated with continuous improvements offering more features to engage, retain and attract users, the importance of preventative website security increases.

The downside of this transition is that websites and Web applications are a very visible and vulnerable part of a company’s infrastructure. As more are added to a site, additional targets for malware are created and must be properly secured. Businesses can no longer assume they’re immune from cyberattacks and must take proactive measures to help mitigate their risk of compromise at all access points.

Beyond the immediate impact, a breach can sully a company’s brand reputation for years to come. In a recent poll by contact center software provider Semafone, 86.6 percent say they are not likely to do business with a company that has experienced a data breach that resulted in the loss of payment card data. By practicing digital hygiene, businesses aren’t only protecting their websites, they’re protecting their brand reputation, and ultimately, their bottom line.
Bloomberg BNA:

Apps are increasingly present in connected devices. What are some of the challenges protecting against cybersecurity threats in the context of the Internet of things?


For businesses of all sizes, especially small and midsized firms, there are quite a few challenges in protecting against threats in the Internet of things (IoT) era. For most companies, as malware continue to evolve, it can be hard to know all of the entry points cybersecurity threats can utilize for a breach. The devices we use each day are increasingly integrated. IoT is all about integration across all facets of our lives—both at home and at work. As this occurs, an exponential number of access points are opened up that have to be properly protected. The challenge is that some businesses may not even know this is problem.

I also sit on the Board of the Online Trust Alliance which recently released a new Internet of Things Trust Framework. The Framework was part of a comprehensive cross-sector initiative that provides guidance for device manufacturers and developers to enhance the security, privacy and sustainability of connected home devices, wearable fitness and health technologies, and the data they collect. It includes a variety of ways companies can address consumers’ global concerns including proper protection and monitoring in place for IoT sites.