Recently we have put forward the idea that a way to better understand the poor state of the security industry is to think of it as the “insecurity industry”, as much of the industry is not interested in actually securing websites, but instead on selling people on the idea that they should be buying expensive security services without an expectation that they will actually provide effective protection. One company that really exemplifies that is SiteLock. Just a couple of weeks ago we discussed how they promote their service in way that indicates that it doesn’t actual protect websites, as they portray that instead of keeping websites from being hacked they provide incomparable security by being better able to deal with the after effects of leaving websites vulnerable to being hacked (though they didn’t provide any evidence they are even good at what they claim to be able to do).
One of things we mentioned previously as part of what defines the “insecurity industry” is selling people on the idea that websites are under constant attack. That is something that SiteLock frequently brings up. For example, in a press release from March 12 they claimed:
The average website is attacked 59 times per day, which is up a staggering 168 percent from the previous year.
If you think about for a second though, that doesn’t sound like a meaningful statistic since the average website isn’t being hacked 59 times a day or even once a day.
A couple weeks after that press release, SiteLock had a bit of a problem as their latest claimed stats indicated that attacks were down:
Websites experienced 44 attacks per day on average in Q4 2017, a 25 percent decrease from the previous quarter.
Part of the way they tried to downplay that was to extrapolate out that number over a year (despite knowing that the number is variable):
Despite this decrease, a single website can still experience 16,000 attacks in one year alone.
As far as we are aware the average website isn’t being hacked once a year even, so once again the stat is rather meaningless.
Next up they downplayed it by saying the number of attacks isn’t actually meaningful:
“A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite,” says Neill Feather, president of SiteLock. “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.”
So if attacks are up you should be concerned, if attacks are down you should be even more concerned, it is almost like the number of attacks isn’t meaningful at all.
That claim sticks out considering that they are still make a big deal of the number of attacks. They even created a graphic in that very post highlighting the number of attacks:
What would be a relevant stat would be how many successful attacks there are. The quote from the President of SiteLock indicates they would know that, “our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks”. We doubt they actually do, but assuming they did, telling people the truth, which is that the successful attacks are very uncommon, would get in the way of scaring people. So how uncommon? From everything we have seen we are talking about an incredible small fraction of one percent of attacks that are successful.
Another part of the about the quote from the President of the company that sticks out to us is “businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur”. This gets to the idea of the “insecurity industry” because the expectation that even though you have the “right technology” (that is paying SiteLock or somebody else for a protection service) you should be assuming you are going to get hacked anyway. The reality though is that if you do the basics of security you can prevent most hacks (even ones that advanced security products fail to protect against). In some cases though doing the basics won’t protect websites from hacks in part due to things that SiteLock and other security companies are doing that they shouldn’t and thing they are not doing, but should be doing (like failing to determine how websites they are cleaning up have been hacked).
Part of the next paragraph after his quote is in line with selling insecurity as security:
Additionally, a website scanner can find malware on your site, helping to mitigate threats in real time.
If you are finding malware on a website you are past the threat stage and have already been exploited. Unless a malware scanner is running constantly, it is likely wouldn’t help in realtime and we haven’t seen any evidence that any malware scanner is all that effective at detecting malware (SiteLock has promoted theirs with bogus independent testing). Selling people that detecting malware on a website isn’t an indication that a security product failed, but it is working, is exactly is exactly what the “insecurity industry” is.
Beyond scaring people, another reason why a company would put out stats like this is to get press coverage, since journalists will run with this type of thing even if the data is of questionable value (we have seen plenty of instances where security journalist have run with wholly false claims, including from SiteLock). You might think that a journalist might notice that SiteLock is even saying the stat isn’t meaningful here and not run with it in this instance, but that didn’t happen. Among them, the Washington Post ran with it with the headline “A typical small business website is attacked 44 times a day” and Tech Republic “The average SMB website is attacked 44 times per day”.