If you think of the Internet as being a big mail-delivery system, almost everyone is sending postcards: Anyone who handles your message could read it if they wanted. Encryption works like sealing a letter in an envelope. You know what it contains, and your intended recipient can open it, but intermediaries can’t read your message.
Websites for activities such as banking and shopping have long used a technology called HTTPS for protecting sensitive data like credit card numbers. But with criminals and governments (both friendly and un-) hoovering up more Internet traffic every day, security experts are making the case that all businesses should encrypt all their online traffic.
So what is HTTPS?
“HTTP” stands for Hypertext Transfer Protocol, and it appears at the beginning of every website address. The “S” stands for secure—HTTPS websites display a small padlock in the browser’s address bar.
The common question most business owners have is: why bother? Some companies deal in highly confidential information, but for many it feels like overkill, especially if you’re not involved in exchanges of obviously sensitive data like financial or health records. But regardless, switching to HTTPS is worth considering. Why?
It makes sure no one can see what’s being said between your server and your customer’s device. Even seemingly innocuous information can be useful to hackers looking for leverage or another way to breach your security or your customers’.
More importantly, encryption reassures customers that they’re talking to your business—and not, say, a 15-year-old hacker in Estonia.
“HTTPS is an extra layer of protection for web surfers to ensure no one is eavesdropping,” says Michelle Zatlyn, co-founder of Internet security firm Cloudflare. Leaking even fairly innocuous customer data can be, as she puts it, “very embarrassing. If you’re a business, this is really a no-brainer.”
How does it work?
Consider this highly simplified example of how encryption can protect your business and your customers from prying eyes. Say your customer is on their laptop in a café where the wireless network was set up by a barista who knows a lot more about coffee than IT security. A hacker—maybe in the café, somewhere nearby, or halfway around the world—has compromised the wi-fi router and is watching for interesting tidbits as they flow through: usernames, passwords, mailing addresses, credit card numbers. Your customer visits your site and places an order for 10,000 widgets:
On a regular connection, the hacker sees exactly what your customer has typed in. With HTTPS encryption enabled, it’s a garbled string of meaningless text.
Customers want it
Most people have no idea how encryption actually works, but they do care about their security. Implementing https is a signal to users that your company takes that concern seriously. A Pew Research Center report found that one in five people have had an online account compromised or controlled by an attacker, and 86% of Internet users take some sort of precaution to try to protect their online activities. That could include anything from using a fake name to employing an anonymous virtual private network. It’s not just an investment in today’s users, either: People under 30 are the most likely to take such prudent steps, so the customers of 2021 are going to have higher expectations for privacy and security.
More importantly, Google wants it
The search giant brandished its biggest gun to prove its commitment to fostering more encryption online: It announced that it now factors a website’s security into its search algorithm. In other words: sites using HTTPS will perform better in Google search results. “It’s only a very lightweight signal,” the company wrote, “but over time we may decide to strengthen it.”
It’s getting easier to do
At one time, HTTPS was quite technically daunting to set up, but that’s starting to change. Cloudflare now offers HTTPS as a feature to all its customers, including those using its free service tier. And a coalition of technology companies recently launched a new service called Let’s Encrypt that offers free HTTPS registration. HTTPS was never terribly expensive, but initiatives like these remove the last technical and financial barriers, says Zatlyn. “That’s really important. It’s something the web has needed for a long time. It’s the right thing to do.”
MORE IN OUR SPECIAL SERIES ON DATA SECURITY:
- Stop using anything on this list of 2015’s worst passwords
- A foolproof way to make your passwords more secure
- Reduce your risk of financial fraud by watching for these red flags
- Here’s why you should start encrypting your entire website
Check out our previous series:
More than a third of Canadians feel overwhelmed at work because they have no system. Here’s how to get on top of things