In the past year we have seen a number of security related stories in the Finnish media.
Spring saw one of the Nordic region's largest banks forget to renew the SSL certificate that secured their new online banking site. This unfortunately is not a rare phenomenon ,and companies such as Google , Twitter, and LinkedIn have all experienced similar certificate expiry issues. Consumers are advised, however, to be cautious online and pay heed to warning messages they see in their web browsers. My colleague Andy Horbury wrote about a similar incident recently.
Another blunder highlighted in the press happened a few weeks after, when the Certificate Authority used to issue certificates on some local government sites advised users that the site they were visiting was no longer to be trusted. This was simply due to the fact that they had used a CA whose root certificate was not trusted in the Mozilla browser - Firefox. Imagine securing your site with an SSL certificate that works for everyone apart from Firefox users and then compounding that by giving visitors the horrendous advice to ignore any browser warnings they might see when visiting this site. Today this issue has been fixed and the site in question has changed the SSL to a to trusted CA. However, I can’t even imagine how this advice from a powerful entity affected consumers and what this means for trust online if they can simply ignore browser warnings. In my opinion and that of any IT professional this is pure nonsense.
Shopping at your own risk
The third incident in the news coverage was the report regarding the part that Finns were playing in an international group of hackers. The young man in question has hacked sites in relative peace and quiet for the last couple of years beavering away diligently, scouring Finnish discussion forums and gaming sites, for user names, passwords and credit card information, as well as anything else he could find. Were the sites he targeted protected by SSL certificates? Unfortunately, not.
Sadly in too many instances SSL encryption is often forgotten when securing servers and websites. By not taking security as seriously as they should companies are playing a dangerous game with their own brand and reputation. As we saw in the Symantec ISTR report cybercriminals are increasingly targeting not only banks and large organizations but also much smaller businesses because they are viewed as being very attractive and lucrative targets.
Brand building and winning consumer confidence does not happen overnight, but comes as a result of many hours of work, sleepless nights and meetings after meetings… yet all this can be put at risk from the simplest mistake you make. By letting a certificate expire, using a mistrusted CA and even giving the wrong advice about security online you are building your business on foundations of sand.
If they can’t see it, how can they know?
I myself was recently talking about the information security to business students. Before I told them about the existence of SSL certificates I showed them these two sites and asked which of the two sites are safe :
From there, came the reply like from the pharmacy shelf, one of the students pointed the one on the right hand side even thinking about it. When I asked the reasons for the choice he replied : " Well.. there’s that green address bar there. " Yes! Too bad I didn’t record this session, I would’ve forwarded the recording to some IT people..
Today's online consumer , a young student chose the Extended Validation certificate certified site without knowing about all its technical features – intuitively they knew what looked safe and would put their money where their mouth is when it came to purchasing on a site like this.
Customers and the company's protection of information is not a staggeringly large investment. Creating brand awareness and brand status are key when it comes to maintaining a trustworthy reputation part of the investment in your brand should be to make purchases from reliable partners - the same applies to security contracts. Security should no longer be purchased acquired with "as long as we have something there" attitude. If you feel that you don’t have the knowledge or resources you can always get this from your trusted service providers.
(Finnish) companies should be prouder of their brands - and protect them accordingly.