Web Hosting Interview - ScanAlert March 2005

KEN LEONARD: Consumers' concerns about the security of shopping online have long been one of the biggest problems slowing the growth of ecommerce. We saw the need for an independent and trusted certification authority and trustmark service to address their concerns In the spring of 2002, we started selling HACKER SAFE security certification as a subscription service.

ScanAlert makes web sites secure from hackers and then certifies it to their customers through the HACKER SAFE trustmark service. We certify customers to a level comprised of government regulations and industry standards such as the credit card industry's Payment Card Industry (PCI) requirements. We do this by conducting comprehensive daily remote security scanning after which we work with the site owners and web hosts to close any holes we find. We give customers a rolling 72 hour window to close holes. Assuming that they do, we then certify in real-time the site's security status by serving a date stamped HACKER SAFE certification mark on the web site.

What separates ScanAlert from other companies who've tried to duplicate what we do is that our technology is more mature, which is clearly evident by the fact that we protect over 60,000 sites in 30 countries, and our technical support is provided by CISSP certified security professionals.  Also, we're accredited by a variety of organizations including SANS, Visa and MasterCard. HACKER SAFE is the world's most widely used site security trustmark, protecting millions of online shoppers each day.

More than 125 HACKER SAFE sites have run A/B tests, where half of their visitors are allowed to see the certification mark while the other half are not. On average, sites recorded 14% more online sales from buyers who saw the certification, compared to the control. Regardless of the product or price point, average order value, the customer demographic, or the site's brand equity, sites recorded more sales due to certification, from as low as 3% to as much as 40%. Even well known national brand chain stores saw a 5-6% sales lift.

The takeaway from the test data is that customers, even if they are repeat buyers, think about security when shopping online. Given a choice between shopping at a HACKER SAFE certified site or the same site without a certification mark, consumers overwhelmingly opt for the peace of mind the trustmark provides.

Because it has such a positive effect on online sales, HACKER SAFE certification is on sites like Linens and Things, Dick's Sporting Goods, Musician's Friend, Ritz Camera, The Sports Authority and tens of thousands more.

KEN LEONARD: I founded TABnet in 1995 when domain registration and web hosting were just starting to take flight. I hired Mick Doherty to head our sales team and we grew very quickly. When Verio acquired TABnet in December 1998, we had more than 210 employees. After the acquisition, I became president of Verio's web hosting division.

In 2001, Mick and I started talking about common problems facing online retailing. Two of the more obvious ones are securing web sites against hackers and consumers' concerns about the security of online shopping. We conceived ScanAlert to address both issues.

KEN LEONARD: Our unique position in the market is that we make web sites secure against hackers and then certify it to their customers. HACKER SAFE certification combines a very comprehensive daily vulnerability scanning service with an independent trustmark whose display we control. ScanAlert acts as both an IT security service vendor and an independent certification authority.

We help our customers maintain the highest standard of security, and then we test and certify that security level every day. Consumers simply are much more likely to buy when a web site's security has been certified by an independent entity.

HACKER SAFE isn't just a jpeg you drop onto a site; it is real-time security certification. When a visitor to The Sports Authority's web site, for example, sees the HACKER SAFE certification mark, they see an image served through Akamai that originated from our system. When the page loaded, The Sports Authority's site made a call to our certification database to find out whether it, at that moment, met our security criteria. As long as a site has no known vulnerabilities, we certify it as HACKER SAFE and the visitor will see a date stamped image served in real-time.

As I noted earlier, one of the really interesting points about HACKER SAFE is that it has been proven to boost online conversion rates. Those A/B tests were run using more than 8 million online consumers so the data and tests results are statistically valid.

KEN LEONARD: To become accredited by MasterCard International as a scanning assessor, companies need to demonstrate their technology in a live test that involves scanning one or more servers. If you can find all the vulnerabilities, you pass.  We were first accredited in October 2003 and MasterCard has announced that everyone will have to requalify, starting in April 2005. By emphasizing web application vulnerabilities much more in the new test standards, MasterCard has made it much more difficult for companies to pass.

Site Data Protection has actually been combined into a joint credit card industry security program that was just announced. The Big Four (Visa, MasterCard, Amex and Discover) have created one program so retailers don't have to be separately tested as they were before. Essentially, the program is designed to harden sites through quarterly vulnerability scans and self assessments of one's own IT security processes and policies.

What a retailer must do to meet these compliance standards generally depends on the number of annual ecommerce transactions. Sites that do more than 20,000 transactions a year will have to undergo a quarterly audit and self-assessment. Smaller volume sites are not obligated under the current regulations to do anything despite a recommendation of an annual scan and self assessment.

Retailers must understand that if their site is hacked, the financial penalties that the credit card associations can levy are considerable. The risks to small sites far outweigh the cost of undergoing a scan and completing a self assessment. We strongly recommend that all retailers meet the compliance requirements as soon as they can. HACKER SAFE certification automatically meets the PCI scanning requirements. A comprehensive interactive self assessment and tutorial and form are available in every ScanAlert customer account. We try and make it as painless as possible to show proof of compliance to your acquiring bank when asked.

KEN LEONARD: Our strategy is to provide the services that online retailers need to maintain good security practices both internally and externally. To prospective customers, we frequently say, "you might have great security but customers have no idea whether you do." Just like the Underwriter's Lab logo on the bottom of appliances and electrical goods, HACKER SAFE certification is the best way to address consumers' concerns about online shopping security. That's why we have grown so much.

KEN LEONARD: Web hosting will become increasingly difficult. At the low priced/high volume end, it is all about scale and pricing. At the other end, hosting providers must differentiate themselves in a market where the basic service has been commoditized. That means looking toward their customers' needs. You sell to online retailers, that's great. Online retailers need to understand search and all of its variations. How about selling search services, from managing paid inclusions to optimizing a site for native search? Think about everything that online retailers need to sell effectively online? Can you integrate those additional services into your mix?

Online retailers need security of course. We think web hosts can make money selling security so we're developing a hosting channel so they can resell HACKER SAFE. Pricing is based on site volume. Retailers also need to meet the compliance requirements that I mentioned earlier. We created a channel program so that web hosts can provide their customers with ScanAlert's compliance service at no additional cost.

As far as the future, we'll continue to refine our core scanning technology as well as expand our service mix so that we help customers respond to the changes in technology and hackers' techniques.

KEN LEONARD: To succeed in Japan, you really need a local partner. We chose Sanwa Comtec as our representative and it had been a tremendous success so far. Sanwa has a tremendous network of distributors and contacts, particularly among large corporations in Japan. In November, Sanwa announced a deal with an AIG's Japanese subsidiary AIU, to bundle hacker insurance with every HACKER SAFE subscription. We're researching a similar program for customers in the US.

KEN LEONARD: By developing partnerships and co-marketing opportunities with companies that have complementary products or services. We're always analyzing opportunities to see whether it is better to expand the functionality of our own technology or address the need by partnering with someone else. We'll continue with this approach as the technology of selling online evolves.

KEN LEONARD: Google.com

KEN LEONARD: In partnership with a growing number of hosting providers, you will see the availability of HACKER SAFE and our compliance service expand rapidly. As we already scan thousands of web hosts' servers, it makes sense to partner with them on a business level.

Right now, most of our new customers come to us directly but we expect to see more of them come to us through a hosting provider channel program, and will compensate the hosts appropriately. You will also see many more co-branded marketing programs like we're already doing with Monster Commerce and YourHost.com.