By Louise Heurlin
Topics such as online privacy and data security privacy has been all the rage lately with the Snowden movie in cinemas worldwide during autumn, the buzz around fake news and Hillary Clinton's use of a private email server. To mention a few events that have attracted a lot of attention and is much debated nowadays.
On top of that, on January 28th, the 11th birthday of the international holiday known in Europe as the "Data Protection Day" was celebrated. The day was launched in 2006 by the Council of Europe with the objective to raise awareness of data protection issues and rights. Today, eleven years later, the ever-increasing privacy data being collected and processed online is at risk of greater illegal mishandling and unfair processing of it.
In the light of the yearly Data Protection Day, we would like to address the fact that companies as well as individuals do have things to hide. The Eurobarometer on ePrivacy shows that 92% of Europeans concern about their privacy and mark it as important to keep their online messages private. Thus, we need to strengthen the protection of sensitive information accordingly.
Using the HTTPS protocol to encrypt websites is getting more and more common among sensitive information-based websites, such as banking sites. However, with the Web playing an increasingly central role in our everyday life, almost all actions online could be considered as sensitive.
Google is now taking a stance to mark unencrypted websites as insecure. Starting in the beginning of 2017, they rolled out a new venture to punish out-of-date HTTP websites consisting of forms asking for login credentials and credit card information. Marking these sites as "not secure" on the Chrome address bar send clear signals to the website visitors that the information exchanged is not safely transmitted.
Google's rollout is just the first step in a long-term plan to mark all HTTP websites as insecure with gradual steps based on increasingly strict criteria. Although it might take a while before Google starts to call out information-imparting corporate websites as unsecure, migrating your website to HTTPS is not an option anymore – It’s a must!
Even though a website might look secure with HTTPS, old encryption methods may still be cracked. Google's algorithms are far more sophisticated than solely checking if a website is migrated to HTTPS or not. The algorithms also intend to warn for websites using old and unsecure versions of TLS protocols for HTTPS-traffic.
By moving to HTTPS and running the protocol with an updated version of TLS you will secure the information transmission between your website visitors and the server. Moreover, it will provide authentication so that your visitors can be sure they are sending information to the right server.
Worth bearing in mind is that Internet security is ever-changing – Try to keep up to date with changes in the security industry!
Looking at what happened to the French construction company Vinci might serve as another reminder about why you should secure your corporate website. Last year, Vinci fell victim to a cyber hoax that aimed at moving the company's share price. The infringers duplicated a large part of the vinci.com website and published it on a registered vinci.group-domain, making it look like the real corporate website.
In the afternoon on November 22, the intruders published a hoax press release on the fake Vinci website which announced that the CFO of Vinci had been removed from his position. The release also proclaimed that the company would restate its financial statements for 2015 and the first half of 2016 after an internal audit uncovered accounting irregularities and net loss.
Because of this hoax, Vinci's stock was quickly sent down by almost 20 percent. Luckily, Vinci came out with an official statement in just 24 minutes, clearly denying the content in the hoax press release. Despite the fast plunge of the share price, the company ended trade down by roughly 3%. However, if the false news hadn't been detected just shortly after publication it would inevitably have been even more devastating to the company.
So, what is the lesson learned? An attentive website visitor would probably have noticed that the vinci.group-website didn’t show HTTPS in the URL which is a further argument for moving away from HTTP. Preferably, your HTTPS website should also use an Extended Validation (EV) certificate to verify your business identity. This would not only strengthen the protection of your sensitive company information but also make important stakeholders aware of which are your official statements online.
Should you have any queries or require any further information regarding data protection and migrating your website to HTTPS, please don't hesitate to contact Andreas Bergström, CTO at +46709711260 or firstname.lastname@example.org.
Are you already a client of Comprend and need help to implement a HTTPS-certificate? Please contact your responsible account manager.