Website hosting security has matured in recent years. Naturally, the types of security issues have changed because of it. For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today. However, malware attacks and other website security-related issues at the account level, are still very real problems. Just ask anyone who has had their website defaced, redirected, or abused in phishing attacks.
Adapting to The New Reality
In today’s website security landscape, the problem really lies in how the website owner manages their server environment. This is traditionally beyond the scope of the website hosting provider. Attackers know that the weakest link is the end-user, and as such, they focus on opportunistic, automated attacks against end-user managed resources, such as plugins and extensions installed by the website owner.
More than 90% of attacks today are automated, looking for the low-hanging fruit. Typically, websites are attacked at scale in a few ways:
- bots or scripts searching for known vulnerabilities to exploit
- artificial intelligence tools looking for weak credentials
- wider ranging attack types, such as DDoS attacks
End-Users Hold Hosts Accountable
“How could you let me get hacked?”
Sound familiar? Website hosting companies of all sizes feel the pain when it comes to end-user website security, which is now consistently part of the conversation with their customers. Prepared or not, hosting companies have to provide support when their customers cry for help after their websites have been hacked, blacklisted, or attacked.
Web hosting customers today are excited about having a website. They want to be the next big thing. They want to have a voice and make an honest living. The vast majority of website owners don’t want to learn about the technical security implications of having a website.
In most cases, they expect the host to take care of it all.
Taking Ownership and Responsibility
Website owners aren’t just geeky, over-caffeinated nerds anymore. Creating a website has become a very accessible opportunity, and now anyone can be a webmaster. We have to understand that the majority of website owners possess very limited technical acumen and resources. They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.
We were at the cPanel Conference last week and the final session spoke to this very subject. The question came up around whose responsibility it really is when it comes to website-level security and there were mixed results. What this discussion really validated for us is that, in a room full of service providers and hosting companies, the theme is not unique. Customers are asking the question and it’s the responsibility of service providers to have an answer.
We were at WHD the week before cPanel, and Tony addressed our responsibility as service providers and how we should be thinking about all of this.
The Cost of Supporting Website Security Issues
It has become such a widespread issue that many providers are growing staff (or entire departments) dedicated to supporting customers with compromised sites “just to help them out”. They are dealing with really frustrated customers that may choose to leave when the rubber hits the road.
This effort doesn’t make a lot of financial sense for hosting providers in most cases. The host is forced to dedicate valuable resources in an attempt to remediate hacked websites and offer a security solution for which they, quite frankly, don’t control. Still, they risk the customer potentially leaving them anyway when it’s all said and done. Security isn’t their core competency and the effort becomes a cost center for them. The overhead caused by resources and time spent, which is then passed on to the customer, becomes far too large to manage at scale. This hurts the host and isn’t something easy for the customer to chew on either, especially when they are experiencing a hack and are in a vulnerable, highly emotional mental state.
The host should be involved, but it starts well before the point of infection. We need to change the discussion. We need to become leaders in awareness. Service providers have an inherent responsibility to be educators to a very broad audience. By educating customers that there is a difference between infrastructure security and account security, providers are helping them understand that with traditional hosting, it’s not so cut and dry. Steps should be taken to correct false expectations that the provider is the responsible party for a site owned and controlled by the end-user. Hosting providers have an opportunity to educate the end-user about options they need to be considering, based on their requirements. There are trade-offs between things like traditional shared hosting and managed WordPress, for example. Security should be a part of the discussion from beginning to end.
Making Website Security a Profit Center
There is a lot of opportunity for hosting providers to sustainably help their customers, reduce operational and customer costs, and even economically benefit by offering website security options to their customers. It may make a lot more sense to partner with a professional security company who can provide dedicated resources and services at reduced costs. Depending on the host configuration, there is an opportunity to turn security into a new revenue stream while upping their website security game at the same time!
They can also extend user knowledge and secure users by leveraging a more intuitive, long-term strategy. Effective website security solutions require dedicated professionals who understand how the threat landscape looks now, and how it will evolve in the future.
A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.
The idea here is to extend your security team and kill off any pricing ambiguity or arbitrary controls to the end-user. Partnering with a proven security organization can give you a full website security stack at fixed prices. This will allow you to offer firm pricing to your customers for a service that’s guaranteed and won’t end up costing more based on the number of pages protected or which portions of the site are remediated during an attack.
We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.
In the end, we all have a part to play in making the web safer. It’s our job as service providers to educate and offer clear, sustainable website security options to our ever-growing audience of people who are simply trying to build their businesses and online presence.
Let’s be educators. Let’s be leaders. Our customers will appreciate us for doing so in the long run!
Have questions or want to add to the discussion, email us at firstname.lastname@example.org