We don’t leave our cars parked with the keys in the ignition and we don’t write our pin numbers down on the back of credit cards. Most of us by now probably understand the importance of ensuring the websites we visit are secure when entering data, and making sure that links in emails go to secure websites.
We do? Don’t we? It would appear that is not always the case or if it is some of us are performing double standards.
Perception SaS recently analysed 500 publisher and event websites in the UK to see just how many are secure. The results astonished us.
Only 45% of sites surveyed actually had an https site with a valid certificate and forced the user to use it with automatic redirection every time. A further 9% had a secure site but would still allow people to use the non-secure version that was available, and a staggering 46% of publishers did not seem to even have a secure web presence.
Assuming you agreed with my first statement, that implies publishers are accepting that 46% of visitors are either not worried about security or are leaving their sites. Modern browsers such as Chrome have already (as of July 2018) started to mark sites without https as a potential hazard because they are insecure. It can only be a short matter of time until others follow suite – Firefox has announced plans to do the same, for example. This has a direct impact on your revenue. Less impressions, less clicks for your content, and potentially less subscribers as well.
Securing websites so they keep personal data private is a basic requirement, and as a business at the forefront of collection and analysing private data it should be one of the key requirements.
A completely secure website is probably outside of your scope or need to understand, but you should be asking your IT and web developers the following questions:
1. Is all access to the workings of my website, and all accounts accessible secured using strong secure passwords?
2. Are all software updates performed on the operating systems and web services?
3. Do you use a secure web hosting service, and does this service ensure security by enforcing strict firewall rules?
4. Does my site have a correctly installed security certificate that reflects my site and do I enforce browsing on the secure version of my site?
5. Do you run regular security status checks to ensure that everything that you installed to protect the site is still functioning as required?
6. Is the website platform and scripts fully updated to the latest secure versions? How do you react to public security notices? How long do you take to implement them?
7. Are you physically preventing XSS attacks where a hacker inserts malicious code?
Never take a verbal answer – always ask for proof. There any many testing tools available if you have the technical knowledge to do so and ask Google for help.