by Lisa
Often when a prospective client asks for a website, they ask for it to be secure. That's a fair enough ask, but unfortunately it's not as simple as ticking a box.
Security is often likened to an onion - there are lots of layers. There's not one thing you can do to make your website secure, there are things you need to consider in the hosting, in the code, even in the content.
One box that it is important to tick, is the secure certificate - or SSL certificate - box. This means your site is served (delivered) to the user over https rather than http - a secure protocol. Https actually stands for Hypertext Transfer Protocol over Secure Socket Layer.
What this means, is that when someone types some information into your website, such as a contact form or a checkout, and clicks "submit", whilst that information leaves their computer and travels across cyberspace for a fraction of a second until it lands in your database, or triggers the code that emails it to you, it's encrypted.
Being encrypted means that if someone naughty is sat outside in a van ready to intercept the data you send over your Internet connection, they won't be able to make any sense of what they harvest from you.
That means a SSL certificate is super crucial if you're collecting credit card information and it's your website itself that's sending it (rather than a payment processor like Stripe or PayPal - more about that another day)... but actually not really that big a deal if people are just sending you a message about something mundane.
I mean, I say "not that big a deal" but you should still absolutely have a secure certificate as all the security you can muster is increasingly important. But I mean you need to realise that a secure certificate is by no means the security box ticked on your website. And it sure isn't an excuse for poor hosting or a reason to put off security upgrades. It's dealing with just one tiny aspect of your site's security.
The other reason you need a SSL certificate for your website is because Google won't give you a very nice ranking if you don't. Google have decided that being served over SSL is a web essential and so may show an unsafe warning next to your listing in search results if you don't have one. And obviously that looks awful to prospective customers so is something you really need to avoid.
Getting a SSL certificate
Getting a secure certificate is a lot easier - and cheaper than it used to be. It used to be that they cost you a couple of hundred pounds a year to buy and have a developer install, but a movement by a nonprofit called Let's Encrypt has made certificates free.
It's fantastic that Let's Encrypt have lifted the monetary barrier to entry for many legitimate businesses... although it does also mean that any developer can now set up a website with a SSL certificate. It used to be the case that to get one you needed to prove who you were, and part of the cost was because you were independently verified as being a real business before you were granted a certificate. Now, more websites may stop data being intercepted, but as a consequence spam and scam websites may be seeming legitimate to people who think a padlock is a sign of a site being trustworthy.
Overall, if you run a website, you should definately have a secure certificate. But you need to understand that it protects your visitors in one very specific way and isn't the whole security of your website sorted. Meanwhile if you're a consumer, you need to still check a website seems legitimate in other ways and not just rely on a padlock before you part with your cash or personal information.