In web design, there are things we must know about and must deal with whether we want to or not. One of those very important topics is digital security and how to protect our websites from hacks.
I didn’t understand digital security at all early in my journey and one of my worst experiences with it was when I got back from my honeymoon only to realize that my website had been hacked while I was away. It was embarrassing as a web designer who was building websites and it was the turning point for me in taking digital security VERY seriously for both me and my clients.
This podcast episode is what I needed to hear back then. Chief Marketing Officer of clean.io and digital security expert, Kathleen Booth, shares best practices and leading industry tips for keeping websites safe and protected from malvertising, Ecommerce revenue loss and standard website hacks.
I encourage you to learn from and apply what you can from this talk and offer even basic security in your hosting/maintenance packages as it’s more important than ever to keep our websites protected from all the bad things out there on the interwebs!
P.S. While this isn’t a “fun” topic, this interview was great! Kathleen made this a very lively and super interesting conversation.
In this episode:
04:00 – Greeting to Kathleen
05:36 – What is cybersecurity
09:55 – Three code categories
13:55 – None 100% trustworthy
16:51 – Where you host is #1
18:25 – CMS & theme are #2
19:20 – Plugins
20:31 – Updating on plugins
21:31 – Two factor authentication
25:52 – Malvertising
27:31 – Invisible ads
28:23 – Coupon code extension
32:08 – “Clean cart”
34:11 – Watch your KPI’s
36:52 – Not a fair game
40:36 – Strengths of Clean
43:22 – Look for cyber experience
44:54 – Security training
47:26 – Ransomware
52:20 – Changing cyber to digital
53:05 – Where to find Kathleen
53:40 – Two podcasts
55:25 – Recommendation
Connect with Kathleen:
Featured links mentioned:
Episode #127 Full Transcription
Hey, everybody, welcome into the podcast. This is Episode 127. And I’m going to tell you this right up front. I firmly believe every web designer needs to hear what you’re about to hear in this episode. This is something that I certainly wish I would have heard very early on in my journey, because I didn’t know anything about this subject. And it’s about digital security, and how to protect your websites from hacks, we get a inside look at what’s going on right now in the world of digital security. And actually, we go a level deeper, and we talk about digital engagement security, and you’ll find out what that is and how that’s impacting websites. No matter if it’s a simple brochure style site, or if you’re doing complex e commerce sites with a lot of functionality. Every site is susceptible to hacks. And we as web designers need to do all we can to prevent that, and to protect ourselves and protect our clients.
For this talk, I am so pleased to bring in somebody who is definitely a bonafide expert in this industry. This is Kathleen Booth, who is the chief marketing officer with clean.io, which is a really interesting software that essentially protects websites from what’s known as malvertising. You’ll hear all about that. And e commerce revenue loss. Did you know that browser extensions and coupon codes can be detrimental to e commerce sites. And you’ll find out in this episode, her expertise in both of these areas. And we talk a lot in this episode about just digital security in general, and some basic ways to protect yourself.
I’ll be honest, I wasn’t super excited about this talk. Because I hate this subject that you know, digital security is not my strong suit. It’s not something that I love diving into. But nonetheless, it was super important. And Kathleen, as you’ll find out as a wealth of knowledge, she was so great. She definitely made this talk and this topic is as fun as it could possibly be. And she was really engaged. And I really enjoyed getting a chance to talk with her and I. Again, this is something that I think every web designer needs to hear. And it’s certainly something I wish I would have heard back in the day because as a quick story before we dive in, when I did not understand anything about digital security. I was on my honeymoon and I think I turned remember, I may have said this in the episode, I’m on my honeymoon, I get back to work, and I’m getting ready to fire up my computer and start building websites again. And my website is blank. And I had been hacked. And it happened while I was on my honeymoon when I wasn’t, you know, looking at my website at all.
So I was able to get that rectified by using Secury. And you’ll find out a little bit about that service in this episode as well. But I had a lot of problems with websites getting hacked. Before I knew anything about digital security. I wish somebody would have told me what you’re about here in this episode. So get ready, take some notes, apply what you learn, and get ready to have as much fun as we can talking about security, you’re going to learn a lot. Now one thing I do want to say before we dive in. One thing to help security is first off a good host and then keeping your plugins up to date. And the best way to do that for you and your clients is to offer a website maintenance plan.
If you are not offering a hosting and maintenance plan, I would love to help you get that going. I have my maintenance plan course open right now for you it is my guide, and exposes and pulls the curtain back on my maintenance plan. And I cannot wait to help you create a maintenance plan for your business so you can better take care of your clients. You can also build recurring revenue, add to your bottom line. But more importantly, in regards to this, you can keep your website safe, secure, and protect them from malicious hacks and all the terrible things that are on the internet. What you’re about to find out more about how to prevent that kind of stuff. So here’s Kathleen, we’re going to talk digital security. Get ready to have some fun. Here we go.
Kathleen, welcome on to the show. It’s so great to have you on.
I’m so happy to be here. Thanks for having me, Josh.
Well, this is gonna be an interesting talk. And I know you have a background in web design and some web design business. And I’m sure you’ve seen a lot and learn a lot in your experience with that. And then what you do now, with digital security and the importance of it and maybe some things that are happening right now that might be new. I’m really excited to pick your brain in this conversation, to share with my audience what we should be looking out for and what we can do to protect ourselves and our clients websites. Before we get to that though, do you want to let my audience know Firstly, where you’re based out of and then what you do because you just got a title change in your business, right?
Sure. So I am my my office is in Baltimore, Maryland. I live in Annapolis, and I am now Chief Marketing Officer for Clean.io which is a digital engagement security company and I come To that, from a long background as the owner of a marketing and web design agency, so I love this topic that we’re talking about.
Yeah, I’m really excited because I didn’t know about that. And before we went live, you let me know about that, which is great, because you have, I probably don’t need to fill you in on what we go through as web designers and as marketing agencies. So I’m really, really excited to dive into this, I think a great place to start would be to address what digital engagement security is, because that is a relatively new term for me. And I know, that’s what you guys at Clean.io help out with. But yeah, what is that? What is digital engagement security?
That’s a great question. And you know, just a little context before I answer it, so after I sold my agency, I spent some time working as head of marketing for cybersecurity companies. And I had had some cybersecurity companies as clients when I did have my agency. And it’s a it’s an industry that I love, and I enjoy working in. But it’s really hard for me to understand, you know, I’m a marketer, I’m not a technical person. And so it’s a lot of what I learned, it seemed very intimidating to me, but but it also opened my eyes to something that I really hadn’t considered, which is that, you know, as marketers, we’re always taught that we own our websites, right.
Like, we say, we don’t own our Facebook page, we don’t own our Twitter, but we own our website. And unfortunately, that’s not entirely true. Like, we have a much greater degree of control over it than we do our non owned marketing assets. But there’s a lot of third party code that goes on our websites, whether we put it there in some cases, and in other cases, when we don’t put it there that can affect everything from user experience to revenue, etc. And so with digital engagement security is, is it’s really that that subset of this big category of cyber, that has to do with giving brands greater control over the third party code that executes on their websites, in order to allow them to affect better outcomes for user experience, brand and revenue.
Okay, so not only the the website itself, which I use WordPress, all of my students use WordPress, I think. Some may hand code some things I’ve got some folks who use Drupal or God forbid, Joomla. Amen. I’m trying to make sure all of us students steer away from Squarespace and Wix and some of these other platforms where you really do not control anything, you don’t own a dang thing. I do want to talk about WordPress, but it sounds like digital engagement, security is not just that, but if you add WooCommerce, if you’re adding third party plugins, is that fair to say? It’s all the pieces in the puzzle that it is.
It is all the pieces and it goes even beyond that to things that you didn’t even add in there. And I can explain a little bit more about that. But I think the way to think about this, to really make it very simple is that, you know, historically, when you had a business, everybody’s selling the same thing, right? We all sell trust, no matter what our product or our services, somebody isn’t going to buy from you unless they trust you. And historically, the way you established trust was when someone walked into your office or came into your store, or you know, went to a meeting with you. It was this very like in person physical experience, where people got got a feeling a vibe, right? I trust you where I don’t, and a big part of that trust was creating a good environment, a safe environment, a pleasant environment.
Now, that’s basically been replaced by somebody coming to your website, that’s your new storefront, your new office, your new meeting room, what have you. And our ability to replicate that same positive experience is so important, you know, they say you only get one chance to make a first impression. And so so that’s really at the heart of digital engagement, security, it’s all about like, needing to protect those points of in digital of digital engagement that we have with our users, our audiences and our customers. So that we can, you know, create customers for life and and build relationships that that will drive revenue. So that’s kind of at the heart of it. But there are a lot of technical details that I can go into to that describe.
Yeah, I definitely want to talk about how to protect and what your service offers, and then also what we can do just practically for good protection measures. I do want to start out with those some of the things that you are seeing as problems and pain points. I’d actually like to talk with you first about WordPress because WordPress prides itself on being open source something you own. I’m curious because I don’t maybe you don’t fully believe that. What is your thoughts on that? Is WordPress truly something you own? Or is there a caveat to that?
So if you bear with me, I want to take a step back and do a little context setting before I answer that because I think it’s really delivered into it. So when I when I think about digital engagement, security, I think about three categories of code. There’s trusted code untrusted code and malicious code. Okay, trusted code is the code that we have vetted. And we really have a lot of faith in and we choose to put on our site. WordPress is probably a good example of that, like, it’s a very well known quantity. You know, there’s a lot of information out there about some of the security measures WordPress is taken to try to bolster its security, which is not to say it’s perfect. And so I’ll get to that in a minute to answer your question. But that would be an example of trusted code. Another example would be Google Analytics, we all put that script on our sites, right? And it’s totally trusted.
Then there’s untrusted code. And what I would put in that bucket is really a couple things. One is, there’s when we build websites, in this day and age, there are millions and millions of plugins that we can put on those sites, right. And some of them are really well known quantities that we trust, and some of them you are taking a chance and trusting that the reviews in whatever marketplace you’re getting that plugin from are legitimate. And you know you you decide what your tolerance for risk is. But you know, having been in the web design business, I’ve seen plenty of things installed, and some of which have been highly suspect. So that would be one example of untrusted
The other example of untrusted code, and this is one that I did not know about until very recently, when I joined Clean, is what’s called client side injections. So what that refers to is the user that visits your website. And you might be thinking, like, what does that have to do with how I build my site? Well, you build your site, and you theoretically decide what code to put on there. But what I did not know is that when a user puts a browser extension in their browser, and I have a million of them, I’m staring at my browser right now, everything from the Moz toolbar to a color picker to Awesome Screenshot to built with probably if you’re in marketing, or web design, you’re familiar with all these kinds of tools, right? these are, these are browser extensions. And because the user has chosen to put them in the browser, allows them an elevated level of permissions that enables them to do certain things on websites, whether the website has given them permission or not. And so if you think about how these extensions function like a color picker, it goes in, and it looks at the code behind, you know, elements on your site to tell you what the hex color code is, you know, and there, there are some very benign, things like that. And then there are some that are a little bit more suspicious, even. So that would be a client side injection. And I can talk more about that in a little bit.
And then so I talked about trusted code. I talked about untrusted code. And then the third category is malicious code, which is literally like cyber attacks what we all think of as hackers. And that’s the one I think when people think about security and websites, that’s the one we all tend to think about first. But in some ways these these less dangerous seeming trusted and untrusted code issues are, are almost a little scarier because we allow them in the front door. So to your question on WordPress, that was a very long way of getting to it. But to your question on WordPress, I would say WordPress is trusted code. But that doesn’t mean that it’s not ever going to present a problem.
So it was a year and a half ago, two years ago, when I was working as head of marketing for a cybersecurity company that tracked big, you know, threat actors. On the US government released us search as the organization’s name. It released an advisory which they only do for pretty big, big issues. And it was essentially a particular WordPress theme that I believe was being sold in the Envato marketplace, which as I’m sure you know, is one of the most widely used marketplaces for themes and trusted right. And that theme was basically built by hackers in order to give them a backdoor into what turned out to be hundreds of 1000s of websites around the globe to harvest PII personally identifiable information. So you know, nothing is 100% trustworthy. Even the things that that we’ve all accepted that we’re willing to to take in as risks something like a WordPress.
Well, that’s well said. And what a good point as far as the example of that theme that was built by hackers intentionally to hack sites because I use Divi. It’s what I’ve used since 2014. A lot of my students, a large majority of them are using Divi or Elementor, or some reputable companies that have really big themes. And this is one thing I talk about a lot on the show and a lot of my resources. When you buy a theme, you have to look at the company, and I’m sure that you’ll back me up on it. And same goes for a plugin. Don’t just install a free plugin with a plugin without doing some at least basic r&d. Who made the plug in Is it a company is it just Josh in his office, like who made this and hopefully, you know, I have an established brand now to where the stuff I produce which I don’t produce plugins or anything like that. So I don’t really have anything malicious to put out there but you do have to do some research. I think that’s a really really valuable early on point here.
I remember one time there was this like, skeleton that was on fire, and it said, You got hacked – Josh
So with WordPress itself, and let’s just stick on that because I agree, I always kind of thought of security as a clean website, and then hacks. And I had my fair share of websites where my client called me freaking out. And I look on their website. And this was before I had a security or maintenance plan. And I remember one time there was this like, skeleton that was on fire, and it said, You got hacked by you know.
Asian girl, teenage girl take my homepage over when I had my agency and put her face on it.
So I mean, it’s just the worst. And I’m sure the majority of people listening are like, oh, yep, I’ve been there. Or maybe that recently happened. So that’s, that was the main distinction I always knew of. But the fact that there’s this kind of intermediate level of untrusted code is is really interesting. I agree. I think that’s really, really important to, to combat against. So with WordPress, let’s stick on that. What are the what are some of the biggest problems that you see in the digital security age now with WordPress in particular? Is it is it themes? Is it plugins? is there other entry points that are pretty common that problems happen?
Yeah, in some respects, it’s all of the above, like, you know, definitely live we already talked about marketplaces like Envato, which is a great resource. But as you pointed out, there are a lot of themes in there and not all of them necessarily come from highly reputable sources. And so..
Envato they don’t they have a disclaimer that they’re not responsible, right. Doesn’t make the theme. They just provide the the resources.
It’s a marketplace like anything else. It’s just like buying something on amazon.com. You know, you don’t know what you’re going to get an Amazon is not vouching for it. And so, you know, with when you get your theme, like you said, I think the theme The theme is number one, right? Because if we’re building on WordPress, well, that’s not number one. Actually, that’s number two.
Number one is where you host. And so you know, I can, I don’t I no longer develop sites on WordPress, I don’t no longer develop websites in general. But when I was doing it, we used to always insist that our clients host on WP Engine, because it was purpose built for WordPress, you could get a person on the phone, if you had a problem. Literally, they take constant backups of your site. And so when you’re when your site homepage is taken over by a teenage girl, you can press a button and restore it, which is what we did. You know, so I’m not saying that’s the only choice. But I think the number one thing is where you host right? Because your host is going to have a huge impact on the security of the server where your website lives, it’s going to have a huge impact on your ability to recover your website if a problem does happen. And let’s be honest, right? There’s no foolproof solution for keeping your website from being hacked. I mean, we things like the colonial pipeline, getting hacked and, and the US government getting hacked, like the rest of us really don’t have a shot if those if those organizations are being compromised.
So I almost think you have to go into it, assuming at some point your your site will be compromised, and plan for that in a way that you can quickly recover. And so that’s why I think the host is so important. And having like human customer service, instead of having to submit a ticket and wait three days. And oh, looking at how often the backups happen. And and if you have major security needs, like maybe go on a dedicated server instead of a shared server. You know, those are some of the things that I think people need to think about. That’s the hosting.
Then it’s the theme. Well, then it’s really the CMS like is it WordPress? Is it another CMS and there are, you know, that’s a big choice that you need to make and some CMS is are more secure than others. None of them is foolproof again. And so I think I had this battle when I joined when I was at my first cyber security company where I came in as head of marketing. And we had our blog was on Blogger, and I was like, What the heck are we in the 1980s. And guys who ran our cybersecurity team said we have to keep it there because that’s the like, the most secure thing and, and we couldn’t possibly go to WordPress and we want to figuring out a way to go to WordPress and making them happy with some of the other things I’ve talked about, like hosting and dedicated servers but but like nothing is foolproof. And so yeah, looking at the CMS doing your homework there. So hosting, CMS, theme. We talked about that already. Plugins, plugins, plugins…
Like that’s the killer. That’s that’s the Yeah, killer. For anyone who’s new into this and maybe a little confused or feel overwhelmed. The big thing about plugins that I found is, not only are they numerous, every site is generally going to have quite a few different plugins, even if they’re vetted. The problem is if you have Gravity Forms as your form plug in, and then it gets hacked if their source code gets hacked, if you don’t update that when they release a patch. That’s the problem a hacker could get hundreds of 1000s of sites and we’ve seen that happen all over. I mean, I don’t know if there’s any stats on if hacks have have increased a number over the past couple years or what that looks like, but I tried to keep a pulse on some of the big ones. And I know some of the tools. Luckily that the main tools that I use, I don’t think have any have any big breaches if there were they released a patch pretty quickly, but some of these untrusted plugins, going back to your point earlier, that’s where the big problems lie, it seems like.
Yeah, I mean, there are so many plugins out there, and it can be really hard to decipher which ones are trustworthy, because just like any marketplace, you know, fake reviews abound, everywhere. And, you know, you raised a great point about updates. And that has to do with your not only your plugins, but your theme as well. And making sure that’s what I used to see, when I ran my agency was one of the biggest issues was companies that didn’t run the updates when they came out. And so a tool that I liked back in the day, I don’t know if it’s still around, or if it’s still even a great solution. But we always use managed WP to Yeah, it’s a great platform that lets that’ll alert you when there are updates. And you can just push a button, and it just puts it in. And it’ll also tell you, when you have plugins that are risky, at least, you know, that it knows of, and so it will disallow some of those. And WP Engine, I think does the same thing. So you know, there are there are tools out there that can help with this. But yeah, plugins are a huge problem. script, in general is a huge problem. those are those are all big deals. And that’s just what you can control. And I and then I should actually add before we kind of round out what you can control logins, you know, use two factor authentication.
Your authentication or single sign on or, you know, whatever method you can use to ensure that your passwords are going to be complex, and somebody can’t just steal a password and get in, they need to have some sort of other measure of verifying their identity, that’s really important.
And then with passwords, there’s also not only the password to get into the website to log in, but there’s the passwords to the hosting company to the cPanel of your own cPanel. There’s FTP access, if you’re going right into your files, those can get compromised as well. So there’s our there are quite a few different levels of passwords as well. I always use the analogy of the way I go back to when I worked with clients, they would be so confused about hosting and domains and website names. And all this stuff. I found just for everyone’s reference, explaining it like a house always seem to resonate with people because I would explain hosting, like where the house is going to be placed.
Right? The plot of land.
Yes, the plot of land like I’m outside of Columbus, Ohio, we’re in a nice neighborhood. This is a good host for our house. If I go into inner city and go into like the harshest part of a ghetto that, you know, rough area that we have, if I get some land there, that’s like GoDaddy hosting, that’s bad host you are just asking for having somebody break in or some problems going on very quickly. WordPress would be the foundation, maybe the frame of the house, the theme would be the actual like house builder, like what type of builder we’re using for the house? Is it going to be a cheap builder? Or is it going to be a really good reputable builder, then come in plugins, which would be your appliances and stuff like that. And CSS is the color. So that was the way I tried to explain it to clients. Hopefully, everyone can take that analogy and pass that on to clients as well if they’re confused about this, because I think that’s the number one distinction. I love that you started with hosting because that that is key that that’s the biggie WP Engine. Great option. I still use siteground. They’ve been using them for years. There’s some other good hosting options out there now, too. I used to love Bluehost. And I’ll just tell you a quick story. I got married in the spring of 2015. When I got back from my honeymoon, I went to log on to my site and my site was white and it had been hacked. The day it got hacked like the last couple days on my honeymoon. I didn’t even look at it or anything because we were on that. And yeah, it was pretty bad. Now, I wasn’t getting a whole lot of traffic. But I did have clients wonder what the heck was going on.
It’s embarrassing. Especially when you’re the agency that develops websites. That’s why when it happened to me, I was like we have to fix this right now.
Yeah, that was one of the major events that prompted me to get serious about security and start a WordPress website maintenance plan. Long story short, I was on Bluehost. And I found out that they had been sold to one of the EIG or whatever company that had purchased like a bunch of hosting companies and they all went downhill. So yeah, hosting is really important. What are there any other tips on what we can do? or What should we should look out for? I mean, I think we’ve covered a lot of them, but maybe maybe talk about extensions. I didn’t really think that extensions were that big of a problem. But yeah, what are some of the issues with extensions that you’ve seen?
So I’ll so I mentioned two things that kind of get to the heart of like what we’re doing. And I would say we’re in the early stages of building out what long term we see as like a really robust platform to help people get better control over what’s happening on their side. You know, we started in 2017. And our first product was an ad tech product. And this is another example of third party code. If your website runs advertising, most advertising today is delivered programmatically, which means it comes in through through demand side and supply side partners. Essentially, these are exchanges. And so the advertiser places the ad, and then it goes through a series of exchanges. And then based on whatever set of rules you’ve created for targeting, it lands on your site.
You have no idea what often what the ad is going to be. And so you know, our code lives on page for more than 8 million websites around the world, we protect some of the world’s largest online publishers, from malicious advertising, which is also called malvertising. And you experienced it right? Like, you go to a website, you click an ad, and all of a sudden, a pop up comes up, and you can’t get rid of it, or you’re trying to get enrolled into a sweepstakes or a Bitcoin scam, or, you know, there’s a lot of different ways that happens, or you get taken to a pornography site. We protect against that. And that is another form of third party code. And so that’s pretty specific to people who take ads on their sites, but gotcha, number of websites that are doing that it’s really growing.
The worst is when you accidentally do it, like aramet. Like sometimes if I’m on a news article, or something I’ll be flipping through. And then of course, my thumb just happens to land on this shady Bitcoin ad, and then I’m directed to a pop up like, Oh, crap, and I got to try to get out like that. It really is a what, uh, gosh, what a just ski skeezy type of industry that they can they can do with that.
Yeah, it’s a terrible user experience. And that goes right back to the beginning of what I was saying, like, if you can’t control the third party code in your sight, what’s at risk is your user experience your brand and your revenue. So in the case of publications, or websites that accept advertising, that’s revenue for them, right. And so, you know, if if they have to shut down malicious ads, they, our product allows them to still monetize them. But But you know, if you have to just exclude those, you’re not going to get paid, right. And if, if you have bad ads on your site, your users are going to start to churn, they’re not going to come back because they had a poor experience. And let me just tell you, men, advertisers are some of the most sophisticated performance marketers in the world.
It’s not just that these ads get through, they’ve gotten so smart, there’s, we were just talking about this yesterday, in my office, there’s something called ad stacking, which is when they place invisible, basically transparent ads, and they’re all over the page, and you don’t see them. So you may not actually have clicked on, you know, your thumb might not have accidentally landed on a Bitcoin ad, you might have actually clicked an ad that wasn’t visible to the naked eye. And then it’s taking you to this other place. And so it’s, it’s pretty amazing how they’re able to skirt around the control mechanisms that a lot of websites put in place.
But so that’s how we started. And because we sit on our scripts that’s on page for so many websites, and we’re looking at third party code, we started to notice this problem with extensions, which is what you had asked me about, you know, and we, at first, we were like, what is this other code injection, and we, you know, one of one of the biggest types of extension that is injecting third party code is coupon extensions. A lot of us have them, I’ll admit, I had them, you know, the camos, common ones being honey, Capital One shopping, what used to be called wiki by? They seem great, right? Like, you go to a website, and you put something in a shopping cart, you’re going to shop and all of a sudden they say, Hey, we think we can save you money. Who would not want to do that, right? And why Why is that a bad thing?
Well, it’s a bad thing. Because the way those extensions work is, if I have it in my browser, and I my favorite retailer sends me a discount code, maybe I’m a VIP customer, and they’re trying to get me to come back or reward me. And they give me a specific code. That’s meant just for VIP customers. If I type that into the promo code box at checkout, the extension is going to scrape that, and then share it with everybody who uses the extension, whether they’re a VIP customer, or even if they’ve ever bought from this business or not. And so, for the retailer, it’s a huge problem. Because I mean, again, we’re marketers, it’s not just a hit on their revenue. It’s a massive attribution issue. Because Yeah, we set these codes up for specific campaigns. Maybe I’m advertising on a podcast and sharing a code. Maybe I’m doing affiliate marketing, and giving my affiliates a code. And here’s where it gets really scary. Maybe I’m paying my affiliates a percentage of the sales they drive using that code. All of a sudden, if those codes are getting out into coupon extensions and then being stuffed in a checkout, basically by a bot. Not only can I not trust that the coach really drove those sales, I could be Way over paying my affiliates for sales, they didn’t drive. So it’s a huge problem. And
I could see really quick, I mean, I do things on a lower level course, you’re freaking me out now, because I totally have a bunch of promo codes. And I have a special discount code for all of my students, when they join a course they can use that for additional courses. So we might have to have a follow up conversation about this because yeah, this is this is like a live case study of me freaking out. But there Yeah, because there’s so much to that. And I was just thinking, I can pretty much control like, I know, I can oversee my affiliates right now at the level I’m at. But as things grow, and as things scale, and for a company that has 1000s of affiliates, I can see that just being an absolute nightmare. And a revenue sucker, like he talked about, like, I think about Elegant Themes. They’re my top affiliate, I’m an affiliate for them. They’re my top affiliate income, they do millions of dollars. For affiliates, I can’t imagine how they track that. So Gosh, the importance of this, I think cannot be understated.
Well, and it’s imagine the friction it causes because we have one customer that has a big affiliate program. And they had to actually put a pause on the whole program, because their codes were leaking to the coupon extensions. And every time that happened, they’d have to call the affiliate, or they had customer evangelists do, they’d have to call them and be like, hey, the code we gave you leaked, we need to issue you a new one. And then then you’re asking your brand ambassador to go to their Instagram or their website and their emails, wherever they’re giving up this code and replace it with a new one. And you have to do that every single time the extensions pick up on the codes. It’s a massive point of friction, and it’s a disincentive for that affiliate to stay engaged in the program. So it’s a very multi layer problem.
So the so the two main products that you guys have is the clean ad, which protects against the malvertising. I love that phrase. By the way. I don’t know if you guys coined that. Or if that’s just an industry. Oh, it’s a it’s a term. Yeah. Okay. And then clean cart? And how does clean cart work? Does that like block and protect against Honey? Or was a honeypot? Or whatever the different browser extensions are? Does it like, blog prohibit them? Or how does that work? Exactly.
So it, it’s for e commerce brands. And basically, what it does is, it prevents right now just honey and Capital One shopping, which represent the vast majority of coupon extensions that are used, it prevents them from auto injecting codes at checkout. So it doesn’t prevent a customer from typing a coupon code in. And it also doesn’t change the user experience, because that’s so important on e commerce sites like honey, for example, has a default state where if there isn’t a code that is valid, if it tries codes, and I can’t find one that’s valid, it’ll just say you already have the best deal. And so the way our extension works is basically that’s what a user will see when they try it. And so it prevents that auto injection. And what happens is that these coupon extensions have some AI behind the scenes that watches like, hey, how often is this code successful? And if if a code is attempted a certain number of times and isn’t working, it deprecates that code, it takes it off of its list. And so what we find with our customers is that not only because because we’re blocking auto injection, not only are we solving the immediate pain point of, you know, revenue reduction and attribution problems, but over time, the the extension stop feeding that code out to the world. And so it solves it from that angle as well.
Gotcha. Gotcha. Yeah, I was really curious about that. Are there any practical things that we could do from that perspective of like having a promo code or a discount code? Is there anything that somebody like myself can do if we have a smaller ecommerce type of shop or a course creation? type of website? Like? Are there any basic principles that we could apply? Is it just not to have promo codes or to do something else? What what would some of the tactics you would recommend?
Oh, gosh, well, I am not anti promo code. And I definitely think they’re an important part of the marketing mix. So I wouldn’t say stop using them. My advice, my advice, like more broadly, is really like you have to be watching your data, right? You have to be looking at your KPIs for your website, consistently. No matter what kind of business you’re in, whether you’re selling courses, or you’re selling tractors, or you’re selling sneakers, right doesn’t really matter. You need to be watching your KPIs. And, you know, most of our customers who have coupon code issues, they come to us because they are watching the data. And what happens is they see a sudden spike in usage of a particular code, and they can’t track it back to like a campaign or something, you know, like none of their affiliates happened to post anything recently. And so, if you’re keeping a close eye on your metrics, you will probably spot some of these issues.
Like, you know, obviously we have a product that helps solve this, but not everybody is going to be the right fit for it. And so if that’s you, whether it’s it’s you know, you don’t want to pay for Or whether we don’t protect the platform that your site is built on. That’s the number one thing is really watch your data and look for anomalies. And when you find them, you know, when it’s specific to coupon codes, for example, most of these coupon extensions, you can a, you can get them and put them in your browser and go to your own website and test and see what comes up. Or a lot of them. If you go to their websites like Honey on its website, you can go there. And you can see it’ll tell you like how many codes it has and what the average savings is. So you’ll know if you have a problem like it’s specific to your site. And then this is where it gets a little tricky. You can write to these, these companies and ask for your codes to be removed. They will not always agree to do it. It’s a little bit akin to the complaints people have had about Yelp over the years where restaurants get a bad Yelp review. And they call Yelp and maybe it’s a bad review from like a disgruntled employee, and they call Yelp and they say, Hey, this is not a legit review. Can you take it down? And Yelp says, Well, we would love for you to advertise with us, right? Yelp is famous for that.
That happened to a pizza shop, a local pizza shop I worked with, he was kind of a more of a paranoid guy anyway. And he was like, I know, this bad review was from this competitor pizza shop across town. I just know it. So I think he did the same thing.
Yeah, that’s clients. And this was really frustrating. And I’m hearing the same things from e commerce companies that say, you know, we’ve written to honey, for example, and told them that the code they have is for, you know, it’s an employee discount, or it’s, it’s a it’s a wholesale code that retail customers are using, can you please take it down? and honey will say, you know, join our affiliate program, and we’d be happy to give you more granular control over your codes. And really, it’s it’s like, I hate to use the word extortion.
But oh, my when I was I was thinking.
I mean, it’s your then you wind up paying honey for on every time somebody uses it on your site. So it’s, it’s the end like, Look, it’s not a fair and balanced game. Honey is owned by PayPal, PayPal paid $4 billion for Honey, Capital One shopping, which used to be wiki by owned by Capital One, these are companies with massively deep pockets that, that don’t have a lot of incentive to work with the little guy to fix tiny issues. And so it’s incredibly frustrating. And I hate to say it, but like, that’s why we exist. If honey just created a mechanism where a business could write in and say you please take this code down, then we probably wouldn’t even be around because the you know, businesses would have the control they need but unfortunately, they haven’t been given it.
Gotcha. I’d love to I don’t know if this is kind of outside what you guys have specialty here are really good experience with but content and the protection of content. I’ve, one of my courses was ripped off. I hired a company I was paying 300 bucks a month for to track down the you know, the this this course that had been distributed illegally. And they did work, they were able to get a lot of them down. But it’s just seemed like month after month, and more would would pop up. It’s just there’s this incredibly scammy shady part of the internet that just distributes this kind of stuff. And what I kind of realized that I’d be curious to get your thoughts on this is that I’m just going to do a better job at branding, and sending links back to my stuff and all of my content, and watermarking stuff better that way. Inevitably, when stuff does get out it pulls people back to my actual site. Like I kind of realized there’s I don’t know what I can do about that. It’s like, like you said earlier was security, there’s never 100% guarantee you can protect something I feel like it’s kind of the same thing with with any type of copyrighted material.
Now you have to what you have to do is get an attorney as a client and have a good barter going so that you can have them spin up a cease and desist every time that happens. But no, it’s a huge issue. We don’t we don’t protect against that. But I ran into that as well, when I had my agency and it’s a problem.
Yeah, are there Do you know if there’s any basic things to protect against that? Or is it one of those things where it’s likely just going to happen?
I wish I could say I knew of a good solution, but I don’t. It’s a good business opportunity there for somebody.
There is a follow up question to that is weird, duplicated content. And what I mean by that is I was a guest on Pat Flynn’s podcast, Smart Passive income. And after about a week or two, and it was live, I just googled to see what came up. And there was all these different versions of the same article that they published on their website. But the name was different. They would call me like Jeremy hall or john Hollis like weird stuff, same article, same images that they posted. It was just different names and stuff was slightly different. I guess maybe a similar question. Is that in this world of stuff that you guys have an eye on? Or is that just a whole different side of cybersecurity? That is like, what can you do about that? I mean, if if Smart Passive Income couldn’t protect against that, I don’t know what chance I have or some of my audience have.
Yeah, I mean, I think the direction that we’re going I probably won’t cover that. only be Because, well, I shouldn’t say that. If we were to cover a risk like that we would come at it from the direction of, of how can we prevent something from really being taken off the site in the first place, because our whole strength is really giving brands control over what happens on their own websites. And so we’re definitely more looking at like, what happens within that, that walled garden without within your plot of land, going back to our house analogy, as opposed to somebody like building a similar looking house down the street. That’s not necessarily where we’re really strong, we are strong and protecting the piece of land that you have purchased and making sure that you control everything that happens on it.
It makes a lot of sense. And I asked that because I was just curious what your take on or was on that kind of thing, because it does seem like everyone I’ve talked to, nobody has an answer for it. It’s just I mean, there’s plugins where you can disable right click and all this stuff, but what some other people on my web design club, my private community that I run, we were having a discussion about this. And some of them, like most tech savvy people in there were like, at the end of the day, if somebody wants to get into your website and get something they’re going to, they’re going to figure it out more than likely.
Like hire the person who works for Getty Images, who tracks down. Like, I don’t know, if you’ve ever gotten a Getty Images letter where they’re like, you used a picture that that we sell, I got one of those. And it was a picture that had been used on our site, like seven years before. And I had a hell of a time tracking it down. Like, even if we legitimately purchased it, I don’t know how I would have found a paper trail for it. But I was like, man hat tip to Getty Images for like really chasing that down and so to like, steal whoever works for them and get them on your team.
That’s true. years ago, I was helping out a church. And I put this video together and I just use some music that I had on my iTunes that was like instrumental with no lyrics just for the background music. And we posted on Vimeo and not two weeks later, the manager of this band or the attorney for this band came back and said, “We found your this you’re using our music online, it’s a cease and desist, you must take it down right now we know you’re a church, but we will have legal implications if you don’t”, and I was terrified. I just got into the design and media world and I was like, Oh my god, I’m gonna get my church, sued, my pastor is gonna lose his job. I was so worried. But no, it really it really is.
I know, it’s a bit outside of what we’re talking about. But I just wanted to see what your take is. In regards to hacks themselves, again, something a little outside, but I would love being that you have experience as a web designer, you know, with a web design agency and stuff, what’s your take on Secury, and some of these companies that will remedy a hack situation, because I always partnered with them for that kind of thing. And it did work out well. But going back the idea of clean vers, maybe untrusted code, are there issues with some of those companies that fix hacks as well.
You know, I mean, I would say, my approach to this has always been, because I tend to work at I owned a smaller company, I think my agency at its largest had 13 employees, and I work for startups. So I never work in huge corporations where there’s an internal IT department. And so my approach has always been to find a really good outsourced managed services provider that that can help with anything it related at my company. And, and what I would say is that in addition to like, you know, setting up people’s laptops and troubleshooting the server, look for a company that does have cyber experience, it’s usually classified as a an MSSP, managed managed security services provider, you know, that has that cyber experience that can help you with the computer stuff, but also with some of the security things. Because then you have that on call help.
But I think this also does go back to the host and the ability and like, how often is it taking backups of your site, you know, that was one of the things that I used to like about WP Engine not to plug them and like I said, there’s lots of solutions. But they take really, really frequent like multiple times per day backups of the site. And if something happens, there’s a one click Restore, it was really simple. Like I could go in and assault serve basis and put my site back together.
So I think you have to look at the hosts, you have to have a good it resource who’s going to watch things for you. And then the other thing I would say is that with hacks in general, I learned this and it was really driven home to me when I worked in cyber, the biggest point of vulnerability actually isn’t your technology. It’s the human beings and your company, and the choices they make. And it’s you know, everything from people writing their passwords down in a notebook and losing the notebook to you know, bringing their laptop home and leaving it in their car and then it gets stolen to going to work in a coffee shop and using public Wi Fi. You know, there’s so many different ways that the people in your company become your greatest point of vulnerability. And so the other thing that we haven’t talked about that is important, is just invest in putting every one of your employees through security awareness training. There are so many providers that offer it now it’s all online, it’s not expensive, you know, and you can have people go through, it’s like, watch a bunch of videos, take a little test. And that’s how the choices they make affect the company’s security and vulnerability,
I was gonna ask, do you have any good resource that you want to plug or recommend for for basic type of cybersecurity training, because I think it’s very worthwhile for me and my audience to go through. And also, the other aspect that we have to consider is our clients, because they’re gonna post on their blog and update their site. And that’s a whole nother level of basic security that they need to know. They probably can’t set up their profile with password 1234 as their password.
Yeah, I mean, from in terms of security awareness training, there’s a great company here in Maryland, that that operates nationally called KnowB4, it’s kn o w, the letter B, the number four. They do awesome online training that any that’s accessible really, to anyone, I’ve gone through it as a user, and I found it really helpful. You know, and as far as manage mssps managed security services providers, I would find somebody local to you, I like I said, find an outsourced IT company that is has a good reputation that you know that cyber is one of the things they help with, and just form a relationship, it’s good to have that kind of a resource, regardless of what kind of business you’re in. And if they’re local, you know, they’re close by if there’s a problem, and if they’re in your community, I think you just you’re going to get a better level of service.
Yeah, that’s great. Well, I’ll link that I’m checking it out. Right. Now, that looks pretty cool. We’ve covered a lot of good stuff. So far, Kathleen, and we’ve talked a lot about the the main problems that we see in web design, and the difference between the ad the problems with malvertising. And then also with car discount codes and some of these extensions, we’re talking about a lot of ways to protect ourselves both both practically that we can do for free, and some services we might want to hire out or partner with, I would love to find out from you. And I’m gonna kind of put you on the spot. Have you? Or could you explain maybe one of the worst situations you’ve seen as far as whether a site was taken down? Or if it was a problem with an e commerce site? And how to how to if you were able to help them with either clean or any other company you were with? How did you help them through that? I’d be very curious to see what you’ve seen?
Well, I mean, I’ll tell you, I’ll say two things. What I mean, the worst situations I’ve seen are situations I can’t do anything about which is ran ransomware. That’s the ultimate nightmare. Because that isn’t a matter of just like hitting the Restore button. That’s, that’s paying ransom. And we’ve seen that play out nationally in our country. And unfortunately, it’s a problem that’s not going to go away. And that’s where that security awareness training is so critical, because a lot of ransomware the entry point is employees. And so I can’t help with that, sadly, I wish I could I would be a billionaire, if I could figure out how to solve that problem.
But where we have helped, you know, there’s a couple things. You know, we do focus specifically on coupon extensions. And then on the malvertising, on the other side of our business. With malvertising you know, we’ve we’ve actually, our team is amazing. And they’ve tracked down and identified certain what in cyber terms are called threat actors, basically, the bad guys who are running just hundreds of 1000s of malicious ads through programmatic ad exchanges, and we’re able to stop them in real time. And, you know, some of our customers are actually the exchanges themselves. So they’re the ones that are feeding ads on to 1000s of websites around the world. And that’s work that I think I’m really proud of is that when we’re protecting an exchange, we’re stopping the problem at the source. And it never even gets to the publisher site in the first place, which is, you know, the, the exponential effect of that is really amazing.
On the coupon side, we have, you know, we’re still young company in that area. We our product came out of private beta in March. But we work with some some large and small ecommerce brands. And some of the smaller ones are where I’ve really enjoyed seeing the effect of our work. And so one of our customers, this story is why we haven’t even published anything on it yet, but we’re getting close to so I’m going to kind of give the high level version but we have one customer in e commerce who was doing a lot of affiliate marketing and working with a very well known affiliate marketing platform that that is used throughout the world. And they were using our product to block coupon extensions. But they were still getting a really big bill from their affiliate marketing platform for sales that honey was saying it was driving on their site, and they couldn’t they were like, how is this happening if you’re blocking honey, and we went in behind the scenes, they gave us access to you know, their site and the back end, and we were able to discover that really how honey works, which is That when you use it and your checkout on a website, and you say yes, put the promo codes in honey isn’t just putting information into that checkout form that you’re on, it actually opens up an invisible browser that the user can’t see. And it replicates the checkout. And it tries to test the codes there. And while it’s doing that, it drops a cookie that claims attribution for the sale, then it sends that customer back to the original checkout. And it effectively overwrites whatever original source attribution that customer came in through. And so what was really interesting is that because it dropped the cookie and was claiming attribution, it was claiming attribution for sales that were completed, where we were blocking the coupon codes.
So there’s no logical way to claim that in this case, honey, was responsible for that sale, because the person didn’t get a discount. But because this company had an affiliate relationship with honey, they were still having to pay them a commission on all of those sales. And so we were able to go in and take screenshots of code and do screen capture videos on the back end to show exactly like in developer mode, what was happening, we gave that to this customer of ours, that was then what they needed to go back and petition essentially through their affiliate platform to get either a refund or credit on 10s of 1000s of dollars per month in affiliate fees that were not earned.
Wow. Well, I can’t imagine I mean, I’m sure it is gravity, gratifying in a much different way than web design. Where here client, here’s your new website, it’s a little more like, you know, rainbows and happy happy signs and happy things when they see something new. I think your guyses type of work is so valuable in that regard. Because it may it’s a lot of it’s preventative to it’s like, by the way client, we may have just saved you hundreds of 1000s of dollars, because we stopped this problem with this coupon code or whatever it is. So that’s awesome, Kathleen, I love hearing, you know what, some situations like that and how you were able to help them through. I imagine that is really gratifying. I know, early on, you said you enjoyed this cybersecurity stuff. I hate it. I hate this stuff. So it’s why
That’s why we call it digital engagement security, by the way, because if somebody says cybersecurity to me, I kind of like roll my eyes. – Kathleen
That’s why we call it digital engagement security, by the way, because if somebody says cybersecurity to me, I kind of like roll my eyes, and I stopped listening. And so we’re not calling it that. We’re calling it something else that is more meaningful to a marketer.
Well, that’s what was really interesting about that. And I’m probably going to change the proposed title for this episode, too. I might call it website security, or maybe just digital security because, yeah, cyber security, you think about your computers and Wi Fi and anything else that might be a factor, which is similar to your service, it’s like, you can only control what you control. There’s all these elements as well. I do have one final question for you. I’d love if you could just let my audience know where to find out more about you. And is there a certain place you’d like them to go? Is there like a resource that might be good for them to check out? Where do you want everybody to head after this conversation?
Sure. Well, our company name is clean.io, which conveniently is also our URL. So it’s really easy to remember. And that’s where you can find information on digital engagement, security, as well as our two products. And, you know, certainly a little bit more about me on that site. And then if you have questions, or you want to connect with me, I’m a big LinkedIn user. I’m very active there. And I’m happy to connect with anybody who wants to reach out and send a request.
I’ll definitely plug those links in the show notes. And then you have a podcast to write is that related to clean to IO? Or is that something different?
So funny enough, I have two podcasts. I’ve been the host of the Inbound Success podcast for four years. That’s not related to clean.io. That’s something I started when I had my agency and it’s all interviews with top performing marketers who are getting amazing results. And I really try to break it down to stuff that’s actionable for listeners to do to replicate that kind of results. And then recently, I took on the job of hosting Cleaned.ios podcast, which is called AdOps, all stars, so people who are in advertising operations, we interview them and shine the spotlight on on their careers and their day to day and the challenges that they face.
Awesome. Awesome. Well, I’ll link to those too. That sounds really cool. Yeah, yeah. I can tell you, you’ve got some podcast experience.
I love podcast. It’s so much fun having these conversations. It’s just, it’s really, it’s interesting. I learned a lot and hopefully I’m sharing information that’s helpful to other people.
No doubt. And what’s really cool, I really appreciate you sharing and kind of pulling the curtain back that behind what you guys have seen because I see things on a lower level. I’m always curious about what’s going on with bigger companies with bigger agencies and stuff at scale because again, I just I can’t imagine trying to manage coupon issues at scale with it with a big e commerce brand. So that’s that’s some fascinating stuff. We’ve covered again, I think we’ve we’ve gone over a lot of good Protection methods and talked about the importance of all this. My final question for you is for somebody who has maybe earlier on in the journey, and they just want to learn how to build websites that are nice and can convert, and maybe they’re, you know, they know the importance of security, what is maybe the most important thing that they should focus on. And we’ve talked about a lot of them. But if there’s one that has a little more prominence, what would you recommend they focus on from a digital security perspective,
I would say it’s, it’s a combination of two things actually, that go together. One is understand all the code operating on your site. And the nice thing is, there are actually funny enough, I’m going to recommend a browser extension. But BuiltWith is a simple one, get get a built with plugin in your browser and go and look at all the code that’s on your site. And then that the second half of that is then do your homework and really see if the companies that that have created that code are reputable. I think if you just do that, you’re going to be so far ahead of the game.
Awesome. That’s great. That’s a great little tool. I had heard of it before. But I, I don’t know if I’d ever really seen it or investigated it. So we’ll link that in the show notes as well built with.com it looks like. Yeah, that’s great. I think that’s really sound advice. Because again, going back to themes, plugins, whatever, it’s not the tool itself, it’s the people behind the tool. That’s what you really need to investigate. So, Kathleen, thank you so much for coming on. And for sharing some of your expertise in this. I really did. You know, it wasn’t a conversation that I again, it’s it’s not my favorite thing to talk about. But I know the summit. So I appreciate you making it fun. And I learned quite a bit on this. And I’m definitely challenged. I think it’s always good to get a bit of a kick in the butt on this kind of stuff to really think about it because I get doing my own thing. And sometimes I forget about security, or or those measures are changing logins or things like that. So So this was great. So thanks so much for, for sharing a lot of your expertise in this.
It’s my pleasure. Thank you for having me.
All right, Kathleen talk soon. Thanks again for coming on.
Episode presented by:
Learn how to build recurring income RIGHT NOW by offering your own website maintenance plan!
• Put an end to the "feast or famine" of web design
• Create consistent, stable, recurring income for yourself every month
• See how to craft your own plan that's based off of what has worked for me
Now my maintenance plan is right on target. Not only has it paid for itself but it pays for itself each and every month. It was the perfect investment for my business. Thank you Josh for putting this together and teaching it in a way that anyone could follow!"