Security professionals will doubtless welcome Google’s decision to mark all HTTP pages as ‘not secure’ from next September onwards. Marketing executives who haven’t kept up to date with this web security issue might not feel so accommodating. But the announcement is a good opportunity for both groups to start a conversation.
Otherwise, here’s what will probably happen. Later this year, when the Chrome browser fires up a website that has no digital security certificate (also known as an SSL certificate), it will display a warning message telling users the website they are about to browse is not secure. Cue a stampede of customers and prospects to whichever competitor has gone to the trouble of obtaining an SSL certificate. Cue the CEO demanding to know why his friends embarrassed him at the golf club because his company website is no longer secure. Cue red faces all round in the marketing department. Cue wagging fingers in the IT and security teams.
This has serious business implications because Chrome is by some distance the most popular browser in the market. Its estimated share of around 60 per cent means the issue potentially affects six in ten visitors to a website.
Infosecurity Magazine noted that Google’s move risks causing confusion among users who expect to see a green padlock signifying a secure site. Emily Schechter, product manager with Chrome Security, explained the reasoning in a blog. “Users should expect that the web is safe by default, and they’ll be warned when there’s an issue,” she wrote. Rather than flagging secure sites, Google will only mark HTTP pages as ‘not secure’.
Yet again, it takes something other than technology to make people sit up and take notice of security issues. We’ve seen it with external factors like GDPR, or far-reaching decisions like Google’s. The company’s reach and influence could be the catalyst that causes organisations to improve their website security.
But now’s not the time for “we told you so”. Between now and September, organisations and marketing departments will be scrambling to upgrade their websites to HTTPS. It’s a great chance for security professionals to give valuable assistance in a way that delivers visible results to the business – and improves security at the same time.