Nick has landed on your Home page and is interested in the information you have there. But then he looks at the address line on his browser and sees something he hasn’t noticed before. The “s” that’s normally in “https” is missing. And to the left of the address is a triangle with an exclamation mark in it and a notice that says, “Not secure.” When he clicks on the notice it tells him not to enter any sensitive information, such as passwords or credit card numbers, on this site. Nick isn’t sure what to do – should he leave? Is he or his computer in danger of being hacked?
One of the questions I’m asked from time to time is, do I really need to go to the expense of having a secure website?
First, we need to look at what having a secure website means. When you secure your website, you purchase an SSL (Secure Sockets Layer) certificate. This certificate does two primary things. The first is that your identity is verified making sure you are actually the owner of the website. Secondly, there are some software/hardware components that are put in place to set up encryption to and from your website. Once the certificate is in place people visiting your website can be assured of two things: 1) you are who you say you are and 2) information sent and received while on your website is encrypted. And of course, the other thing that happens is that the browser doesn’t have the “Not secure” notice next to your web address anymore.
These certificates used to be pretty expensive (I remember when a “cheap” one was $600/year) and most websites that weren’t dealing with financial transactions didn’t go to the expense of buying them. The good news is that the price has come down considerably (now less than $100/year). As having a secured website became more common, the factors for making the decision became a little more nuanced. If you take payment information on your website, you don’t have a choice – you have to have an SSL certificate. But what if you don’t take payments?
If you have a website that requires putting in a password, you should definitely secure your site. But it becomes a little less certain when all you have is information about you or your organization and a Contact Us page. Just how sensitive is your visitor’s email address and are hackers really working hard to get it? Probably not.
But there are two other factors to consider. The first is the peace of mind of your visitors. It it really comes down to how big you think their concern is when they see the “Not secure” notice. How much is it worth to address your visitor’s concerns? Often, it’s more about perception than reality. Most people don’t really know what that notice means and have a generalized fear when it comes to cyber security. Last year the City of San Antonio spent a good deal of money securing all of their websites primarily for this reason. They don’t want citizens visiting a city website while believing they’re putting themselves at risk.
The other factor is you might get a little bump from Google’s search engine if your site is secure and your competitor’s site is not. If you both score equally on all the other things Google scores us on, then having a secure site will win over the unsecured website. Having a secured site isn’t a major factor in their algorithm so it’s not a huge advantage. You have to decide if that little extra push is worth it.
So, how do you decide whether to secure your site or not? Here’s a three-step plan:
First, you have to ask yourself if you collect any sensitive information from your visitors. If you’re doing any financial transactions or password protected activity, the answer is easy – yes, you need to secure your site. However, are email addresses sensitive? It’s up to you to decide, but most people would say no. But what about the forms you have on your website? What kind of information do your visitors share? I maintain my church’s website and we have a form for prayer requests. Those can be very sensitive, so yes, the church’s website is secured.
Second, decide how important you think having a secure website is to your target audience. If you’re losing visitor engagement because they’re afraid of your site, then you probably need to go ahead and secure it even if there’s no security need. But if it doesn’t seem to be a problem, then maybe you can save a little money by not securing it.
Third, if you do decide to secure your site, ask your website developer to help you out. Sometimes you can obtain an SSL certificate directly with the host, but even so, it’s good to get the developer involved. There’s an important reason. You can’t have links on a secured page that point to an unsecured source. This is called “mixed content” and will cause the page the link is on to fail to be secured.
At Drake Web Development, we offer our clients an SSL certificate through the host we use. Currently, the cost of the certificate is $25.00/year. But to have it installed on a site, the site must have a static ip address – and that cost $30.00/year. We charge $20.00 to make it all happen, so the total cost right now is $75.00/year.
If you have a website that’s secure or you decide to secure your site, there’s a certain peace of mind knowing that your visitors have nothing to fear – not even that ugly “Not secure” notice. They can be safe and feel safe when on your website. If your website isn’t secure and you have questions about whether it’s worthwhile or not, please go ahead and schedule a free consultation with us. We’d be more than happy to talk with you about it.