October is European Cyber Security Month and EEN is promoting best practices to ensure that SMEs are protected against data breaches. But one area that you may have overlooked is the security of your website.
It’s common for websites handling payments to serve traffic over HTTPS but other websites haven’t embraced security in the same way.
With the significant penalties that the General Data Protection Regulation will bring for companies that have been breached, now is a good time to protect your website.
What is HTTPS?
When you connect to a website the data is sent over the Hypertext Transfer Protocol (HTTP). HTTPS is a secure version of this protocol which encrypts communications. It protects against a number of cyber attacks such as DNS spoofing, man-in-the-middle attacks and malicious advertising networks.
71 of the top 100 sites on the web use HTTPS by default. Recent changes in Chrome now mean that any website not using HTTPS will be marked as “not secure” when data is entered. This is a move by Google to motivate website owners to improve the security of their sites as we move towards a “secure by default” web.
There are a number of myths surrounding HTTPS which have hindered its uptake:
“SSL/TLS certificates are expensive”
To implement HTTPS your website must have an SSL/TLS certificate issued by a certificate authority. The market leading authorities can charge hundreds of pounds per year for a basic certificate, but there are a number of authorities that offer free certificates, such as Let’s Encrypt.
“HTTPS will slow my website down”
You’d think there would be a time penalty involved when encrypting and subsequently decrypting data, but HTTPS actually offers significantly faster page loading times for websites. It does this via a method known as multiplexing in which multiple requests can be sent asynchronously over a single TCP connection.
“It will have a negative effect on my SEO”
I’m not sure where the logic behind this comes from, but Google’s SEO algorithm actually rewards websites that implement HTTPS by default.
How do I implement HTTPS?
Okay, so we’ve established that HTTPS will protect your website and its users from cyber attacks. It will also improve the site’s speed and SEO ranking, and we can do all this at no cost. But how do we actually start using HTTPS on our website?
The route that I would recommend and which allows you to retain the greatest amount of control over your website would be to obtain and install a free certificate from Let’s Encrypt using the Electronic Frontier Foundation’s certbot. There are some great guides on their website.
Following this you’re going to need to add 301 redirects to make HTTPS the default protocol, add HSTS and remove HTTP references from the source code. Woah! That sounds difficult, but luckily there’s a guide for that written by security advocate Troy Hunt.
Alternatively you could use Cloudflare’s free plan which, in addition to HTTPS, will save bandwidth through caching and offer protection against distributed denial-of-service attacks.
If you use shared hosting or your website is hosted by a web agency then you may have to go down a different route, but it is something you must inevitably do if you wish to protect your company against data breaches and continue to use your website as a tool to develop sales leads.