Encryption - Protect Yourself and Your Customers
07/04/2017
The current climate
As our lives become increasingly digitalised, it should come as no surprise that online fraud and data theft also increases year on year. The constant use of computers and smart gadgets has driven the rate of data production to eye-watering levels, which by 2020, experts predict will have increased by a staggering 4300% from 2012.
The more data the world generates, the larger the gold mine for fraudsters and hackers. In their statistical bulletin released in January this year, the Office for National Statistics estimated that 8 in 100 adults will experience ‘fraud and computer misuse’, which is significantly higher than the incidence rates for any other offence measured by the Crime Survey for England & Wales.
According to Cifas – the UK’s leading fraud prevention agency – 88% of all recorded fraud in the UK took place online, with over half being attributed to identity theft. 2016 was a record year in which 172,919 identity frauds were recorded – more than in any previous year. Identity theft using stolen personal data now offers perpetrators easier and more varied opportunities to conduct criminal activities than with other types of data such as credit card information. Gemalto, one of the world leaders in digital security, highlights this in their Breach Level Index Report for 2016:
“The increased targeting of individuals’ identities and their personal information such as the data breaches involving Government and Healthcare organizations exposed just how valuable this information has become to cybercriminals. While credit cards have built in security mechanisms that limit the exposure and risk for individuals if they are stolen, theft of personally identifiable information is something totally different as more damage can be done with stolen identities and they are also more difficult to recover.”
How does the web industry address security?
Most popular websites like eBay, Amazon and big retailers use encryption such as ‘SSL’ or ‘TLS’ to protect your password or credit card information as it travels between your browser and their servers. Encryption means that even if someone were to intercept your data en route, it would be useless without them knowing the complex encryption key that could decipher the data.
Modern web browsers now clearly communicate whether you’re on a ‘secure connection’ or not, which you can check by looking at the address bar:
As you can see in the diagram, whenever you see HTTPS, as opposed to HTTP, you know that SSL/TLS encryption is being used on your current web page.
Many security experts now believe that encryption should be rolled out across the entire web. This would mean secure connections not just on important websites like your bank, but also on the website for your favourite restaurant, pet store or blog. This might seem like overkill for small businesses, but the trend is growing, with many of the web’s giants such as Facebook and Gmail already having made the move to encrypt all of their traffic, as opposed to just data classed as ‘sensitive’ or ‘personal’.
HTTPS Everywhere
The concept of ‘HTTPS Everywhere’ (i.e. encrypting the whole web) was originally proposed by Google and has been gathering steam since 2014 when Matt Cutts, Google’s head of Webspam, announced they will begin to use website security as a ranking factor. In his own words:
“…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
Tim Berners-Lee, the inventor of the web, has explained in a number of interviews that not foreseeing the potential abuse of the web and missing the opportunity to establish strong security protocols from the beginning is one of his biggest regrets. Regarding the ‘HTTPS Everywhere’ directive proposed by Google, Tim explains:
“HTTPS everywhere is a recommendation. IT departments tend to balk at it, but most of the reasons why they balk at it are out of date [...] Encrypting stuff everywhere is a good idea.
“If you look at the way secure establishments are penetrated, it's done by phishing. The way you phish is you build picture of life within company, by watching the emails go by and looking at the minutes of the meetings. Then you write something that looks as though it comes straight out of the company, from the CEO, saying ‘Read this quickly,’ and then you send a zero-day attack. Phishing is the main way in, and phishing is that much easier when everybody can just sit on a network and monitor stuff going by.”
As well as safeguarding your customer’s data and ensuring you remain as competitive as possible in the search results, using encryption on your website will likely build trust with existing and potential customers, demonstrating that your business cares about its data protection responsibilities. After all, a data breach can have a long-lasting impact on customer trust and the reputation or your business.
Is there a downside to using encryption?
Enabling encryption on your website will require the purchase and installation of a special certificate. Just like your domain name, this is something that will generally need to be renewed every year.
Additionally, using encryption will make your web server and computer work a bit harder to encrypt and decrypt all the data that's sent back and forth. Whilst this can affect the performance of your website and potentially make it marginally slower to load, it will depend entirely on the quality of the server your website is hosted on. On a good quality server the impact should be negligible, being in the region of milliseconds, which will arguably not outweigh the other security benefits that encryption offers.
If you are interested in discussing security on your website in any further detail, please don’t hesitate to get in touch with a member of the team today.