What is SEO security?
SEO security uses metrics to identify weaknesses in a site’s security, solve those problems, and keep track of site activity with security in mind. Security should be a priority for SEO practitioners in order to protect their clients’ sites. The people who are best positioned to take notice of unusual activity on clients’ websites are the ones who can also take action to address issues with branding that might arise from a security breach.
Donald Trump, Krishna, and cybersecurity
If you want to succeed in SEO, you need to make security a priority. Otherwise, you’ll fall behind
I presented on the subject of SEO and cybersecurity at UnGagged London on June 15, 2017.
Donald Trump, Krishna, and cybersecurity will soon be clear.
First of all, we should all remember that everyone in SEO should love Donald Trump because he is giving us all a lot of love. Trump wants to make sure that cybersecurity stays in the public’s mind by having Russian hacks and WikiLeaks play out on Capitol Hill over the next year. We are creating an interesting environment for ourselves as problem-solvers. What we want to achieve is to have everything in order, healthy, within the bounds of what is legal, Google-friendly, and if possible, ranked number 1 on SERPs. We should also be concerned with making our client’s data and website secure from viruses. The problem of cybersecurity is more apparent with Trump as president.
We should love Jean-Claude Juncker, president of the European Commission, right now. I love him for four reasons that I’ll explain in a minute.
We’ll also meet Krishna, who is a Hindu deity.
SEO has had some good times and some bad times. I can give you an account of what happened since 2006. The person who is successful in this industry can expect to have a lot of success. In addition to feeling good, we can also feel useful by being socially helpful.
This is because SEO is the only area in which all of the current security issues facing ecommerce companies (or any company with a web presence) can be addressed along with a client’s organic search ranking, in one place. We’re making a big investment in SEO security analysis and provision.
Why should SEO providers get into infosec?
If you work in SEO, you might be thinking ‘Do I really need to do this?’ The data security industry, often referred to as ‘infosec’, has had little competition up to this point, but I predict that SEO providers will soon be moving into the cybersecurity sector. We’re always thinking about information security because we want to stay ahead of the competition. Remember that bad security is a huge threat to your website’s ranking in search results.
But there’s a problem. Some SEO providers see the word cybersecurity and immediately become overwhelmed and retreat. They get scared. At OTT SEO we don’t do that. Our philosophy is to take the direct route to the action. We’re integrating infosec wholly into our operation.
Think about it. Why not have both optimizers and infosec companies? The synergies are clear. Good SEO requires constant monitoring; so does infosec. As a company with a web presence, you can’t just rely on your hosting service or overworked IT team to keep up with everything.
How do hackers get what they want?
There are a few different types of cyberattacks, and each one has a specific goal.
Ransomware
This type of attack has become increasingly common. An unauthorized person or organization gains access to a company’s computer system and encrypts important data that the company needs to operate, demanding payment for a decryption key to unlock the data. This was the most common type of attack last year and is projected to rise in frequency in the coming years.
Hackers know that if they attack a small business, it may have to shut down for a day or two while things are fixed, which can be costly. They have also found the best balance between profitability and a victim’s tolerance. The ransoms that companies have to pay to regain access to their data are low enough that it is cheaper to just pay the ransom than to seek justice. The amount of money that a kidnapper demands from a victim’s family in exchange for the victim’s return can vary from a few hundred dollars to several thousand, depending on the particular case. Dealing with ransomware is so difficult and expensive that even law enforcement officers advise companies to pay the ransom. More than half of all victims of this crime end up giving in to hackers’ demands.
Advanced persistent threat
Detection of brute force attacks and malware is simple, and companies can establish protocols to prevent these breaches. This means that hackers can only extract a small amount of data. Operatives have started using Advanced Persistent Threats (APTs) to exploit a gap in the market.
This type of attack is much more sophisticated and difficult to pull off than simply stealing your company’s money or customer information. The goal of hackers is to get into a company’s network and extract data continuously. This is the best way to gain access to valuable intellectual property, contracts, future projects, and even sensitive political information for further exploitation.
An attack begins when an individual within an organization gives access to an unauthorized person or malicious software. After breaking into a system, the intruder then creates hidden files that ensure they can access the system again in the future.
This type of attack is typically done against government organizations and large businesses, but there has been an increase of them happening to small and medium businesses. This is a common method used in commercial espionage. tens of billions of dollars’ worth of sensitive information belonging to US companies, including those in the defense sector, has been compromised.
Distributed denial of service
This is what cyber-brute force looks like. A DDoS involves directing a lot of traffic to a web server in order to make it slow down or crash. It only requires a large network of bots or zombie machines to start flooding the targeted server, not strong hacking skills.
Hacker organizations use their fearsome reputations to ask businesses for “protection payments”. They also put their services out to hire. Even legitimate companies who want to harm their competition can rent a botnet for 15 minutes at a time.
Last year, Brian Krebs, a well-known tech security blogger, had his site taken down by hackers who didn’t want him poking around in their corners of the Dark Web.
Google hates it when a site is down. We’ve seen cases where DDoS attacks have happened at the same time as a Googlebot site crawl. Some unscrupulous companies try to sabotaging their rivals by artificially lowering their ranking on search engines. They don’t care about the means, as long as the result is achieved. The attacks only last for a few minutes, making them hard to detect. This is devastating.
Defacement
1.5 million WordPress sites were hacked this year.
Both victims and visitors of a site can see when its content has been modified or vandalized.
Different methods of hacking include using SQL to inject code, cross-site scripting, or taking advantage of unpatched operating systems.
Defacement attacks can be a very severe body blow for small and medium enterprises in particular. These attacks generate a lot of publicity and ecommerce customers may leave the site if they feel it can’t protect itself or its customers.
How a Hack Can Damage a Website
Julia Logan, also known as IrishWonder, told me about an experience she had with a hacked event website in 2015.
Our team noticed an abnormal spike in search visibility for our client’s annual industry event website outside of their normal pattern. This was down to an influx of parasite pages:
In July 2015, the site was hacked and blacklisted by Google. The site was hacked because it was using WordPress and a number of plugins with known vulnerabilities. These were:
- Wordfence: There was a known cross-site scripting vulnerability that had been discovered in November 2014 affecting version 5.1.2 and patched in v. 5.1.4.
- WordPress SEO by Yoast: There was a known SQL injection vulnerability that had been discovered in March 2015, affecting versions 1.7.3.3 and below.
The site’s directories had not been set up to prevent outsiders from seeing their contents before the hack occurred. The index pages of some theme and plugin directories were indexed by Google, making the site vulnerable to attacks that exploit vulnerabilities in themes or plugins.
The threat posed by these indexed directories did not end with the initial site cleanup. The server had been configured to give a 404 response for them, but having URLs like these indexed could lead to more hack attempts.
They decided not to close the folders from indexing via robots.txt, because that would still be a telling footprint. (Besides, these folders contained CSS files which Google insists on being indexable.) So they removed the folders from Google’s index manually, using the URL removal request form.
The hackers had taken control of the site’s SMTP services and were using them to send spam emails, which led to the site being blacklisted by all major email spam databases. The fact that they were considered a spammer was critical because it damaged their business’s core function, which is sending out emails to their subscribers/event participants.
Manually removing the parasite pages from Google’s index was necessary to speed up the index cleanup. I had to try a few times and email back and forth before I could get the site removed from the spam email databases. The site was then also migrated to HTTPS.
What About GDPR?
The new GDPR regulations have made people more aware of the importance of cybersecurity, but many businesses still do not understand how important it is to protect their digital assets.
On a scale from 1 to 10, 1 being not at all, how prepared do you believe your clients are to be secure and comply with the upcoming GDPR regulations?
The overwhelming feeling is that many companies are still working towards compliance, with only a few being close to done.
The amount and type of data a business processes affects the format of compliance that it needs.
Only 15 percent of organizations surveyed by Deloitte will be compliant with GDPR regulations by May 25. About 44% of respondents scored between 1 and 4 on the scale.
Organizations outside of the European Union will also be affected by GDPR if they have dealings with EU countries.
On a scale from 1 to 10, 1 being not at all, how prepared do you believe your U.S. clients are to be compliant with the new EU GDPR regulations?
The majority of the 124 respondents surveyed do not believe that U.S. clients would be willing or able to comply with GDPR and other European laws.
Speaking with fellow SEO Ryan Siddle from MERJ about the topic of GDPR and how prepared businesses are, he had the following to say:
organization size usually dictates the amount of data and therefore the number of people working with it, with larger businesses having more data and smaller businesses having less data. The pace at which these people work is generally slower in larger businesses because there are more layers of management and bureaucracy. Since they need legal counsel to interpret and follow the law, costs are high. Legacy systems may not be compatible with new requirements. The software may require extensive changes to meet the standards, with months of testing to ensure data integrity.
Small businesses may not have the funds to spend on legal counsel. Unlike larger businesses, small businesses focus on revenue growth instead of waiting for others to take the lead. The bigger companies take in the information and communicate what needs to be done to their affiliates and partners.
Who’s Responsibility Is Cyber Security?
I have found that there is a lot of misinformation and misconception among companies about who is responsible for maintaining the security of a website.
Under GDPR, businesses will be fined, not their development company. Although some business owners believe that their development contract states that the development company will be fined.
Who do you believe is responsible for making sure that a website is secure?
Out of the 136 respondents, approximately two thirds believe that the security of a website is down to all stakeholders, with just under a third thinking the responsibility lies solely with the business.
All stakeholders are responsible for both online and offline compliance processes under GDPR, including external agencies.
As an agency that often has access to sensitive areas like website CMSs, analytics, FTP, and more, we have a responsibility to use two-step authentication and have our own security policies in place.
Conclusion
After talking to many SEO experts and observing industry trends, it is evident that website security is a noteworthy topic that will stick around for a while.
It is crucial that we in the industry educate our clients about the dangers not just to SEO but also to their businesses.
Related posts:
