top ten online security tips

Online security is an important issue of which all web users need to be mindful.

If you're not careful, you may find yourself exposed to malware, identity theft, and all sorts of other problems. To avoid this, here are ten online security tips to bear in mind while you browse...

More...

Switch to HTTPS

Here's something you might have seen recently if you use Google Chrome to browse the Internet:

Chrome Not Secure Warning

This scary red 'not secure' warning now appears in the Chrome address bar whenever you type something in on a non-HTTPS web page.

What does this mean for my website?

If your own web address still begins with HTTP rather than HTTPS, Chrome users will see the warning whenever they enter any information on your site. It doesn't matter whether they're entering their credit card number, searching for a product, or just commenting on your latest blog post - as soon as they start typing, Chrome will display that little red warning triangle and inform them that your website is not secure.

Obviously, this may put people off using your website, particularly if you're asking them to enter sensitive and/or personal information like their name, location, telephone number, email address, card details, etc.

(If your site is already under HTTPS, you don't need to worry - Google Chrome doesn't show the 'not secure' warning on HTTPS pages.)

Why is this happening?

Chrome already showed a 'not secure' warning on non-HTTPS pages that requested sensitive info such as passwords and payment details.

But Google made it clear some time ago that this warning would eventually be displayed on all non-HTTPS pages, and they recently made good on this promise. Now, if you use Google Chrome to visit any non-HTTPS page, you'll immediately see this notice in your address bar:

And if you start typing text into any text entry field on that non-HTTPS page, that warning will turn red, like this:

This is Chrome's way of letting you know that the information you're inputting will be sent over an unencrypted connection.

How can I make sure the 'not secure' warning doesn't appear on my site?

Simple: switch to HTTPS!

If your website address begins with http:// rather than https:// then Chrome will show your users the 'not secure' warning whenever they type something on your website. Under a HTTPS connection, all information is sent securely and encrypted to prevent unauthorised access. The same does not apply to a HTTP connection, which is why Chrome now shows this warning.

Online security is a big concern for Internet users nowadays. By switching from HTTP to HTTPS, you will not only be safeguarding yourself from Chrome's 'not secure' warning but also proving a bit of extra reassurance to your users. This will make them more likely to buy from you, or make an enquiry, or do whatever it is you want them to do. There is also some evidence that HTTPS websites rank better in the Google search results.

If you're a Designer Websites client and you'd like to switch from HTTP to HTTPS, please email info@designer-websites.co.uk or give us a call on 01446 339050.

 GDPR FAQ

IMPORTANT NOTE: Unlike some companies who have written about this topic recently, we are not running a GDPR course, and so we will not be exaggerating the issues to scare you into parting with your cash. This is merely an advisory post for Designer Websites clients, many of whom have been asking us about the new law that will soon be in effect.

If you're a business owner, odds are you've already heard about the General Data Protection Regulation (GDPR) that will soon be in effect throughout the European Union. This new regulation is fairly complex, and many different claims are being made about it - not all of them accurate.

With that in mind, we want to do what we can to help you understand the new laws and what they mean for your business, particularly your website. You've probably got a lot of questions about the GDPR, and today we're going to attempt to answer some of them.

Please note that this post is for informational purposes only and should not be mistaken for professional legal advice. Designer Websites Ltd will not be held responsible for any other organisation's failure to comply with the GDPR or any other piece of legislation.

Contents:

  1. What is the GDPR?
  2. When will the new law take effect?
  3. Where does the GDPR apply?
  4. Why does my organisation need to be GDPR compliant?
  5. Who is responsible for ensuring that my organisation is compliant?
  6. How can I make sure I'm ready for the new law?
  7. What steps do the ICO recommend?
  8. Are Designer Websites GDPR compliant?
  9. Do I need to do anything about my website?
  10. Can Designer Websites help with GDPR compliance?
  11. Useful links

1. What is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that aims to improve data protection for individuals within the European Union. The regulation will give individuals more control over their personal information and how it is used.

Under the GDPR, organisations that process people's personal data will be expected to keep that data secure, be transparent about its use, and report data breaches promptly when they occur.

Here in the UK, the new data protection law will be enforced by the ICO (Information Commissioner's Office). An in-depth guide to the GDPR can be found on their website.

2. When will the new law take effect?

The GDPR was adopted in April 2016, but it is not yet in effect. It will be enforced from 25 May 2018 onwards. Your organisation will need to be compliant with the new law by that date.

3. Where does the GDPR apply?

The GDPR is an EU regulation, and thus it will apply to all EU member states. This will include the United Kingdom, even after Brexit.

The GDPR also applies to any organisations who process the personal information of individuals within the EU. For example, Facebook and LinkedIn are both based in the USA, but since they hold personal data on EU citizens and residents, these companies will be expected to comply with the new regulation just as if they were based inside the EU.

4. Why does my organisation need to be GDPR compliant?

Once the new law is in force, your organisation will be required by law to comply with the General Data Protection Regulation. After 25 May, if you are found to be in violation of the GDPR, you will be breaking the law, and may thus be subject to a number of sanctions.

That said, the ICO have made it clear that they view fines as a last resort, and will only use them to punish companies who "systematically fail to comply with the law or completely disregard it". Information Commissioner Elizabeth Denham has stated the following:

"The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR...we intend to use [our increased] powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand...the GDPR gives us a suite of sanctions to help organisations comply - warnings, reprimands, corrective orders." [source]

So don't panic when you see people using scaremongering tactics and telling you that you'll be fined millions of pounds if you aren't GDPR compliant by 25 May - this is simply not true. The important thing is that you're making a reasonable effort to comply by being transparent about your data collection practices and keeping people's personal information secure.

5. Who is responsible for ensuring that my organisation is compliant?

Short answer: you are. If it's discovered that your organisation is not complying with the GDPR, it's your organisation that will be held to account.

The long answer is a little more complicated. The new regulation makes the following distinction between what the EU call 'controllers' and 'processors':

  • Controllers determine the 'purposes and means' of processing personal data (e.g. if you collect information about your customers and use that information to either communicate with them or make decisions about them, then you are a controller).

  • Processors are the ones who actually handle the data on behalf of a controller (e.g. companies like Sage, Salesforce, Infusionsoft and MailChimp are processors because they provide a service that involves processing data on behalf of controllers).

It is quite possible that you are a controller and a processor of some personal data.

Both controllers and processors have some responsibilities under the GDPR. Processors must keep accurate records of the data itself and of processing activities; they are responsible for keeping people's personal data secure, and will be held legally liable in the event of a breach. However, controllers may also be held liable if they use a processor without ensuring that the processor is GDPR compliant.

Since virtually all organisations process some personal data themselves - even if it's just their own employee records - nobody will be off the hook when the GDPR comes into force on 25 May. So now let's answer the most important question of all...

6. How can I make sure I'm ready for the new law?

The most important thing is to demonstrate that your organisation has made a reasonable effort to comply with the GDPR and protect the rights of the individuals whose personal data you store and/or process. As you've already seen, the Information Commissioner's Office will only be issuing fines to the very worst offenders - they're more interested in helping businesses to understand and comply with the new law in order to protect individuals' rights as best as possible. In fact, if this whole thing has you feeling completely lost, you may want to make use of the ICO helpline (open 0900-1700, Mon-Fri).

So what exactly will you need to do from 25 May onwards? Well, the right approach will differ from one organisation to the next, but here's a good rule of thumb: before you collect or process someone's personal data, make sure you...

  • Have a clear reason - and a lawful basis - for doing so. Know why you're collecting other people's information, and know whether that reason is defensible in the eyes of the law. Under the GDPR, there are 6 valid legal reasons for organisations to collect personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Details on all 6 lawful bases can be found here; for the majority of businesses, the most applicable basis will either be consent (the individual consented to you collecting and processing their information) or legitimate interests (you have a valid business reason for collecting the data, and you are not infringing on the personal rights of the individual).

  • Are only collecting what's necessary. You should only ever collect/process personal data if it is necessary to your stated goal. For instance, you might reasonably collect a customer's name and contact details so that you're able to reach them, but that's no reason to also collect information on their race, nationality, date of birth, etc.

  • Know how long you will be holding on to that data. The GDPR doesn't allow organisations to keep people's personal information indefinitely just because. Once you know why you're collecting personal information (see first point), you should also assess how long you'll need to keep the data in order to meet that goal. This doesn't necessarily need to be a specific number of days or months - it could just be 'for as long as that person remains a customer' or 'until that person unsubscribes from our newsletter'.

  • Will be able to keep this data secure. This may mean installing security software or making organisational changes to ensure that only authorised personnel are able to access the collected information.

  • Will be able to respect the individual's rights to access and erasure. Under the GDPR, individuals have the right to view all personally-identifiable information that an organisation holds on them. In addition, they usually have the right to request that this information be deleted. Ensure that your data subject(s) will be able to make these requests, and that you'll be able to honour them in a timely manner - requested information will need to be supplied within 1 month of receiving the request, and while there are certain circumstances under which you can refuse to delete personal data (see 'When can I refuse to comply with a request for erasure?'), you will generally need to comply with deletion requests as quickly as possible too.

7. What steps do the ICO recommend?

The ICO have put together a helpful list of 12 steps that organisations should take ASAP in order to prepare for the General Data Protection Regulation. By now, you hopefully have a reasonably clear idea of what your responsibilities will be under the new law, but if you're not sure what actions you now need to take, this list is a great place to start.

So let's go through the 12 recommended steps in a little more detail:

1) Make sure everyone's aware of the new law.

Speak to the key decision-makers within your organisation and ensure that they understand the new law and what it requires of them.

2) Document all personal data you currently hold.

You probably already have at least some personal data on record. Now is a good time to review:

  • What data you hold
  • Where it came from
  • Whether you still need it
  • How you're using it
  • Who has access to it
  • Whether you have a lawful basis for keeping it

An information audit may help with this step.

3) Review your privacy policy.

People who interact with your organisation should be able to access a copy of your privacy policy (most companies publish it on their website). Read over your privacy notice and revise it if necessary to ensure that it complies with the GDPR.

If you're not sure what your privacy policy needs to include, you may wish to refer to our own privacy policy as an example - however, please bear in mind that every business is different, and your privacy notice may need to cover certain things that ours does not.

4) Make it easy for individuals to make information requests...

As we've already covered, data subjects have the right to know what information you have on them. Try to make it as easy as possible for data subjects to submit information requests - for instance, you might put a contact form on your website for this purpose, or set up a dedicated email address for right of access requests.

Larger companies may choose to provide an automated system to allow their customers to view, update and delete their own personal information manually. However, developing a tool like this would probably be overkill for small/medium-sized businesses who do not expect to receive many requests.

5) ...and ensure that you're able to respond to these requests.

In addition to the above, you need to make sure that your systems allow you to quickly retrieve and, if necessary, delete people's personal information when they request it. Ensuring that this can be done in a timely manner will help you to comply with the GDPR, and it will save you valuable time if and when a request is submitted.

6) Identify a lawful basis for your data collection / processing.

Remember, there are 6 lawful bases for processing data - make sure you understand them, and identify which one applies to your activities. Bear in mind that you can't change your mind later (e.g. if you collected a customer's contact details on a 'consent' basis because they agreed to receive promotional information from your organisation, you cannot use those details for other purposes on the basis of 'legitimate interests').

Your choice of lawful basis should be documented in your privacy notice - see step 3.

7) Check how you establish consent.

If you collect people's personal data on a 'consent' basis (see above), you need to:

  • Give individuals a clear way to give - or withhold - consent
  • Make it clear what individuals are consenting to

For instance, if there is a form on your website that requires people to enter their contact details, you need to be EXPLICIT about what you plan to do with those contact details. If you're going to send promotional emails, say so. If you plan to share the individual's details with your partner companies, make this clear.

Consent should never be the default option. Here's something you've probably seen quite often on the Internet:

☐ Tick this box if you do not wish to receive promotional emails from us.

In this example, users are automatically consenting to receiving emails until they tick the box. Under the GDPR, this sort of thing will not be allowed - the message above would need to be changed to 'Tick this box if you wish to receive promotional emails from us' or something similar. Make sure you're ASKING for consent instead of giving the option to withdraw it.

8) Think of the children!

Children under the age of 13 cannot legally consent to the collection and processing of their own personal data. A parent or legal guardian must consent on their child's behalf.

If you think that children may interact with your organisation, it may be necessary to implement some kind of age verification system on your website and/or set up a simple way for parents and guardians to consent to data processing activities.

9) Know how to respond to a data breach.

If a security breach allows unauthorised personnel to access the personal data that you hold, you will be expected to respond to the breach properly. Make sure you have an established procedure in place for detecting, reporting and investigating data breaches. (Remember, if you're based in the UK, breaches must be reported to the ICO within 72 hours.)

10) Familiarise yourself with the guidelines.

You're already reading up on the General Data Protection Regulation, but now is also a good time to familiarise yourself with other relevant guidelines, especially the ICO's code of practice for conducting privacy impact assessments.

11) Designate a data protection officer.

While everyone in an organisation has a role to play in keeping data secure and complying with the law, you should appoint (formally or informally) a data protection officer to take overall responsibility for compliance and security.

12) Determine your lead data protection supervisory authority.

If you solely operate within the UK, your data protection supervisory authority is the ICO (Information Commissioner's Office). If you hold information on individuals in other EU member states, you should identify the authorities for each of those countries and determine which is the 'lead' authority for your organisation.

8. Are Designer Websites GDPR compliant?

Yes, we are. In fact, we have always been compliant; from the very beginning, we were always extremely careful to store / process customer and staff details securely.

We keep our servers (which hold the data we collect and record for our customers) in a purpose-built secure data centre with firewalls, secure access and activity logging. We have our own defined procedures in place for tracking and using the data that we record. We have always had a designated data protection officer, and we have an up-to-date privacy policy.

When an enquiry is submitted via our website, we do not store the submitted information in a database - we simply receive an email containing the content of the submitted form. These emails are deleted after 12 months.

9. Do I need to do anything about my website?

As stated earlier, all businesses - and all business websites - are different. We can offer some general guidance to help you ensure that your website is GDPR compliant, but please remember that it is your responsibility to familiarise yourself with the new law and ensure that every part of your organisation is following it.

With that said, we recommend the following:

  1. Update your privacy policy and cookies policy. Make sure these documents are accurate and exhaustive. Explain all the ways you collect people's data through your website, how that data is used, and how people can contact you to request access to / deletion of their information.

  2. Review the forms on your website. If your website contains any forms that ask users to enter personal data, you must declare why you are capturing that information and what you intend to do with it (e.g. 'we will use this information to inform you about future offers' or 'we reserve the right to share this information with our partner companies'). This should be stated on the form itself as well as in your privacy policy (see above).

  3. Stop making consent the default option. If you use pre-ticked checkboxes on your web forms (or require the user to tick a box to opt OUT of something), you will need to stop doing this before the GDPR comes into force. Ensure that users cannot consent to anything through a lack of action - for instance, users should have to tick a box when they DO wish to be added to your mailing list, not when they want to be kept off it.

  4. Make sure you have consent for any data you already hold. If you have collected people's personal details in the past, you should make sure they are still happy for you to keep hold of them. For example, you may need to make it easier for people to unsubscribe from your mailing list if they no longer wish to be on it.

  5. Ensure that people are able to view and delete their personal information. As we mentioned earlier, you may wish to set up an automated system that allows your customers to manage their own personal data, but a contact email address is sufficient if you're not expecting a lot of requests. Just make sure that anyone looking to access their personal data has a clear way to do it.

10. Can Designer Websites help with GDPR compliance?

It is ultimately your responsibility to comply with the GDPR law, but if you need any help from the Designer Websites team then we will of course assist you wherever possible.

For instance, if you need us to make your web forms compliant, or if you need help with your website's privacy policy, please email info@designer-websites.co.uk and ask for assistance. This work is chargeable (our usual rates apply), and each website is different, so we would have to add you to our list of requests and assess how much time would be needed to make your site compliant. Please bear in mind that we manage hundreds of websites, and it may be some time before your changes can be made.

11. Useful links

From October 2017, Chrome will show a 'NOT SECURE' warning on any HTTP page containing a text form

Switch your website to HTTPS

Google are currently on something of a crusade. They want their users to feel totally secure as they browse the web, and so they've been doing their best to force website owners to take user security more seriously. Google Chrome already shows a 'Not secure' warning on non-HTTPS pages that collect sensitive data; for instance, checkout pages and login screens must be served over a HTTPS connection in order to ensure that card details, passwords, and other sensitive details are encrypted. If you're asking users to enter that sort of information on a HTTP page, Chrome will flag up the risk with a notice like this:

Google Chrome 'Not Secure' Warning

As things stand, that 'Not secure' warning is only shown on pages where a user is explicitly asked to enter 'sensitive' data, such as:

  • Passwords
  • Credit / debit card details

However, Google have now announced a major change that could cause a lot of problems for website owners. As of October 2017, the 'Not secure' warning will appear on EVERY non-HTTPS page that contains a text input form, regardless of the form's purpose.

This means that, from October onwards, the following pages will need to be secured with a SSL certificate:

  • Any page with a search bar
  • Any page with a contact / enquiry form
  • Any page with a newsletter signup form

Basically, if your page contains ANY element that allows the user to enter and submit some sort of information - whether it's their credit card number, their email address, or the name of the product they're looking to buy from your website - then you'll need to get that page secured with an SSL certificate by October.

With this change looming on the horizon, a lot of website owners will need to think very seriously about implementing HTTPS across all pages if they have not already done so. For instance, it's quite common for ecommerce sites to use HTTPS on their login/register and checkout pages while serving all other pages over an unsecured HTTP connection, but once this Chrome update takes effect, the people who visit those websites will start seeing 'Not secure' messages everywhere they click.

And those two little words will often be enough to put off potential customers and send them running to a fully-secured competitor instead.

What do I need to do?

If you are currently serving text input forms over an HTTP connection, you will need to purchase an SSL certificate and install it on the server where your website is hosted. You will then need to update things like canonical tags and internal links so that they point to your website's new URL (beginning with https:// rather than http://). You will also need to ensure that the proper redirects are in place so that anyone trying to access the HTTP version of your website is automatically sent to the secure HTTPS version.

If that to-do list seems a little intimidating, don't worry - all you really have to do is ask your website developer to make the necessary changes for you. They will know how to install the SSL certificate and update everything 

Do I need to switch to HTTPS if my website doesn't contain any forms?

Perhaps you've been reading this and thinking 'this doesn't concern me - I don't have any search bars, contact forms or anything like that on my website, so I must be safe'.

If so, we have some bad news for you. Google have made it quite clear that the October update will merely be the latest step towards their ultimate goal, which is to mark ALL HTTP pages as 'Not secure'.

This week, Google sent out an email to webmasters warning them of the imminent expansion of the 'Not secure' message. That email included the following ominous statement:

"The new warning is part of a long term plan to mark all pages served over HTTP as 'not secure'."

So while your unsecured website may survive the update in October, you won't be able to escape that 'Not secure' shame notice forever. And given that users are increasingly expecting to see that little green padlock at the top of their screens no matter what they're doing online, it's probably a good idea to get that SSL certificate and upgrade to HTTPS sooner rather than later.

Further Reading: Why Convert Your Website to HTTPS?

UPDATE (12th Dec 2016): Google recently announced that HTTP websites that collect sensitive data (e.g. passwords, payment details) will soon be flagged as 'not secure' when someone attempts to view them on the Google Chrome web browser. This means that, if your website requires users to enter login details and/or personal information, it is now even more important that you follow the advice given below and secure your site by upgrading to HTTPS. Failure to do so ASAP may lead to a sharp decrease in site traffic as Chrome begins to warn people away from your site.

Why Convert Your Website to HTTPS?

There’s lots of chatter on the internet, and particularly within the SEO community, about implementing site-wide HTTPS for websites, and you may be wondering why. In the first instance, website owners are making the shift predominantly because Google have (relatively recently) suggested that, because HTTPS is inherently more secure for internet users, they have added this as a ranking factor within their SERP algorithms. There are other reasons, of course (chiefly the added security), but most website owners whose websites were not previously secured by an SSL are having to think about the switch simply to stay ahead of the competition.

We’ve been building secure websites for ecommerce for over a decade; this is normal practice when handling transaction and customer details, but not so much for basic brochure-style websites. However, we recently converted a brochure-only website for one customer to a more secure HTTPS website; take a look at composite decking suppliers TimberTech.

Timbertech are among the first of our customers to switch to a site-wide HTTPS website, and we’re very closely monitoring their rankings to see if this has any effect on the SERPs. We anticipate carrying out this task for a great many of our customers over the coming months, and we think that if you have not already done so, then you should seriously start thinking about doing this for your website. Here are two reasons why:

1. A more secure browsing experience for your users.

All data sent via HTTPS is encrypted, meaning that it cannot be read by anyone but the intended recipient. As mentioned, we always use the HTTPS protocol at the checkout stage of our ecommerce websites, thus ensuring that each customer's payment details and personal information are handled securely. However, many non-ecommerce site owners are now opting to switch to HTTPS too, and it's not hard to see why: even if no payment information is sent via your site, it can still give users extra peace of mind to know that any other sensitive information they enter (email addresses, telephone numbers, login details, etc.) will be safely encrypted by your website.

2. Potentially higher Google rankings.

The primary aim of any search engine is to deliver the best possible results to the end user, and since online security is a major concern for many web users right now, companies like Google and Bing are always looking for new ways to identify secure, high-quality websites.

Google announced some time ago that HTTPS had been incorporated into their algorithm as a "lightweight" ranking signal, potentially giving HTTPS websites a slight advantage over standard HTTP sites in the search engine's results. We've seen a lot of debate over how much difference HTTPS can actually make to a site's rankings, but while it would be foolish to suggest that HTTPS is some kind of miracle solution, it seems fairly safe to say that converting to HTTPS can at least make a small difference to a site's organic search positions. This blog post from ahrefs.com suggests that HTTPS, when implemented properly, does correlate with higher search rankings.

However, that brings us to an important point: if you're going to make the leap from HTTP to HTTPS, it's important to ensure that it's done properly. Among other things, you will need to implement the proper redirects throughout your site, and make sure that there is a single canonical version of each URL.

If you'd like the Designer Websites team to help you upgrade your site from HTTP to HTTPS, please get in touch - we will ensure that the changeover is handled properly, giving you the best possible chance of achieving higher rankings and meeting the expectations of your users.