By Christopher Moschella, CPA, CISA | Risk Advisory Services Senior Manager | Cybersecurity Team Leader
Your website is not secure… Or so says Google, and that’s all that matters.
When you navigate to a website, your computer exchanges data with a server quietly humming on a rack in a data center somewhere in the world. As the data makes its way to the server, it bounces off dozens of computers, servers, and networks along the way. The transmitted data can either be encrypted, as indicated by HTTPS in the address bar) or unencrypted (as indicated by HTTP in the address bar). If intercepted while on its journey across the internet, unencrypted data is easily read, modified, and stolen.This is referred to as a man-in-the-middle attack.
Intercepted by an attacker, login credentials stolen in an HTTP request are easy to see.
Encrypted data, in contrast, is scrambled so that only you and the server on the other end have the secret key to decrypt and display the data.
To developers and security professionals, the risk of sending unencrypted data over the internet is significant, especially when transmitting sensitive data, such as a user ID and password, executing banking transactions, or emailing private information. There has been very little, if any, dissent regarding the necessity of encrypting sensitive data. Encrypting other data, such as a news articles, informational company webpages, and other “static content” websites is a little more hotly debated today.
Google, however, has taken a clear stance on the issue. They believe all data on the internet should be encrypted, and over the past few years have been using their power as the creator of the world’s most popular web browser, Chrome, as a lever to push more websites closer to encryption, regardless of the type of site or content.
In the most significant step Google has taken to date, the Chrome browser will soon inform all visitors to websites using unencrypted HTTP that the site is not secure.
Many visitors to websites will undoubtedly be alarmed by the message, and will navigate away worried that that the website will cause them to get hacked. Users visiting a site with encryption will see the comforting green lock rather than the worrisome “Not Secure.”
Many will undoubtedly complain that this is heavy handed, overstates the actual risk for most websites, and will lead to frustrated users. While complaining feels good, it won’t help your scared visitors return to your website. Companies with websites using HTTP would be wise to move to HTTPS sooner rather than later.
If that weren’t reason enough to move to HTTPS, Google is right there to offer yet another reason to move to encryption. Google’s search engine uses complex algorithms to determine which websites are displayed in the search engine results pages (SERPs) and the order in which they are displayed. Those algorithms examine hundreds of factors about a website to determine how a webpage should be returned in the SERPs for any given search. Since 2014, Google has given websites using HTTPS a small ranking boost in the SERPs. Readers who work with their company’s search engine optimization (SEO) know it is a constant fight for ranking in the SERPs for key search terms. Thankfully updating your website to leverage encryption is an easy SEO win. That minor boost might be the difference between your site being on the first page for the SERPs or not, which can be the difference between a lead coming to your website, or a competitor’s.
Not long ago, implementing HTTPS on a website could be an expensive and sometimes difficult process. Today, however, encryption certificates can be created free, thanks to the sponsors of the Internet Security Research Group which created Let’s Encrypt. The content management systems and hosting providers generally make it easy to move from HTTP to HTTPS, some offering push-button HTTPS.
All businesses that value their web traffic should be using HTTPS. The merits of Google’s push for HTTPS everywhere notwithstanding, by upgrading from HTTP to HTTPS, you are likely to have more visitors on your site (thanks to the SEO boost) staying for longer periods of time (thanks to the comforting green lock). Those reasons alone make it worth the switch to HTTPS.
Additional Cybersecurity Resources:
- Data Breach – It can happen to you!
- SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities
- What companies need to know about General Data Protection Regulation (GDPR)
- Five Reasons Why Your IT Outsourcer Isn’t Keeping You Cyber Secure (and neither is your internal IT team)
- Cybersecurity: So You Think You Have A Breach
- Cybersecurity: Educate and Motivate Staff to Be Careful
- Infosecstack: Your Collection of Free Cybersecurity Resources
- Access all of our Cybersecurity Resources
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.