Website Security Policy for Smaller Organizations

I recently got an email from my CPA informing me that all of my tax information had been accessed and could be assumed to have been stolen. It was not a pleasant feeling, knowing that my identity and bank account information was out there, probably for sale somewhere on the dark week. At the same time, I could not say I was surprised.

The breach highlights the challenges smaller organizations face with cyber security. A CPA firm with five partners and a few office assistants simply cannot defend itself against the kind of cyber criminals operating today. It would prohibitively expensive to implement and maintain countermeasures assuming they could even find the personnel.

This issue was on my mind as I walked the aisles of RSA 2018. Most of the technologies on display were intended for the enterprise. Some were intended for consumers. What about small to midsized (SMB) businesses? How can they get access to effective cybersecurity?

I did meet a few vendors that cater to the SMB segment. SiteLock, for example, offers solutions for website security. For a monthly fee, SiteLock can scan a website for vulnerabilities on a daily basis, automatically remove malware, set up a web application firewall and defend against Distributed Denial of Service (DDoS) attacks. More advanced service levels include SQL and XSS injection prevention. They also provide PCI service. SiteLock is platform agnostic and works with a variety of web hosting providers.

Neill Feather, CEO of SiteLock

“Your site is the public face of your business,” said Neill Feather, CEO of SiteLock. “If it gets breached, guess what… your brand just got breached too. It’s impractical to hire a SecOps team. This is the problem we solve. We’re like an outsource provider for security, but at rates an SMB can afford.” The secret? “Automation,” explained Feather. “We automate security countermeasures and related processes so we can enable a large number of smaller customers to benefit.”

SiteLock also offers a solution to a problem that some SMBs may not even realize they have, namely the defining and enforcing of security policy. A large organization will take the time to define a policy like “All web-facing applications must be protected against DDoS attack and SQL injection.” SMBs don’t have time to think about that level of granularity. They want their site to be secure. SiteLock defines and enforces policy for them. “We spend all our time thinking about securing websites,” Feather added. “We’re policy experts so you don’t have to be.”