Casey Crane, The SSL Store: “The Internet isn’t secure – threat actors can intercept, alter, or steal your data while in transit”
Companies are already starting to realize that protecting consumer data is no longer consumers’ own responsibility. In fact, a security-oriented approach to conducting online business can even be used as a competitive advantage, helping to attract new customers and drive sales.
Unfortunately, the Internet on its own isn’t the safest place. Cybercriminals continuously create new attack tactics and reinvent the old ones for the same goal – obtaining illegal profits.
So, today we talked with Casey Crane, the Content Manager at The SSL Store, about the most common mistakes new website owners make, what the most prominent cyber threats are, and how they can protect their website users’ data.
How did the idea of The SSL Store come to life? What were your biggest milestones throughout the years?
The SSL Store began as an SSL/TLS distributor based in St. Petersburg, Florida in 2007. Now, we’re operating in three offices globally with clients in more than 150 countries worldwide!
Our site’s online publication, Hashed Out, is an educational resource that’s read by hundreds of thousands of unique users each month. This platform allows us to serve as an industry thought leader. It also allows us to help our customers and readers stay abreast of the latest changes within the SSL/TLS industry and learn about other important cybersecurity issues and concerns.
A few of our biggest milestones over the last 15 years include:
- Becoming the #1 SSL/TLS certificate distributor globally, and proudly continuing to retain that title
- Becoming an industry thought leader and educator via Hashed Out
- Being named an INC 5,000 fastest growing company six years in a row
Can you tell us more about what you do? What set of tools do you use to ensure a website runs fast and smoothly?
The SSL Store is the world’s leading provider of SSL/TLS certificates. We’re a platinum partner and reseller for several of the world’s supreme certificate authorities, including heavy hitters like DigiCert and Sectigo.
What are the main issues that can arise if a website doesn’t have SSL certificates in place?
The issues of not using an SSL/TLS certificate on your website range from everything relating to data security and compliance-related concerns to a host of issues that affect your rankings on search engines and sales capabilities. We recently published an article that curated many current cybercrime statistics that illustrate many of these concerns.
An SSL (or, more accurately, TLS) certificate is what makes the HTTPS and a padlock appear in your browser’s address bar. These security indicators mean that your website is using a secure, encrypted connection. The internet, on its own, isn’t secure – threat actors can intercept, alter, or steal your data while it’s in transit.
By not installing this certificate on your website, you’re waving a big red flag to customers. You’re essentially communicating that you don’t prioritize security and that they shouldn’t trust your site to protect their sensitive data. Furthermore, browsers like Google Chrome will testify to this concern by warning users that your website isn’t secure.
So, why should users believe otherwise and trust you if you aren’t taking steps to secure their information? Frankly, there’s no reason for them to do so, and this will drive them straight into your competitors’ arms.
Did you notice any new tactics that threat actors started using during the pandemic?
While cybercriminals do sometimes come up with new tactics, the truth is that most seem to prefer reusing the old ones. Rather than creating entirely new methods, they can put new twists on tried-and-true scam tactics to trick or manipulate users into falling for their malicious emails and websites.
For example, some of the tactics experts observed early on in the pandemic was the creation of fake:
- Covid-19 outbreak tracking sites
- Testing and vaccine resources
- Donation requests in the name of legitimate organizations
- Covid-19-themed emails from people impersonating various authorities
In your opinion, what are some of the worst mistakes new website owners tend to make?
Hands down, one of the biggest mistakes we see repeatedly is not installing an SSL/TLS certificate. Technically, installing a website security certificate isn’t a requirement, so some people ignore this best practice when creating a new site. However, as already discussed, it’s easy to see why this is a problem – from both security and reputational standpoints.
Another mistake is mismanaging the certificates and cryptographic keys. A digital certificate doesn’t do you any good if it’s expired. Also, it’s hard to keep track of your certificates if you don’t know they exist. This is why we always recommend website owners use a certificate management tool to help streamline and simplify this repetitive but crucial security task.
A third issue is that new website owners don’t always properly configure their site’s security settings. This can create a slew of problems and cause warning messages that drive away customers.
A final mistake worth mentioning is the practice of not restricting access to their sites’ backends. By not limiting access to select users, you’re creating a larger attack surface for cybercriminals to target. The more people with access to the site’s dashboard, the greater the risk regarding phishing tactics. All it takes is one authorized user not practicing caution to give an attacker access to your entire website.
Needless to say, none of these things is good for security or your organization’s reputation.
What tips would you give to someone who is thinking of setting up a website? What are the key steps in this process?
- Make security one of your top priorities. Security should never take a back seat when it comes to anything on the internet. This is why it should be part of your website creation and implementation strategy from the get-go. This also entails dedicating the time and resources necessary to make your site as secure as possible.
- Secure your website with SSL/TLS. Not only is it good for securing your data in transit, but implementing HTTPS also helps boost your site’s search ranking with Google – it’s considered one of the search engine’s ranking factors.
- Keep all of your website themes and plugins patched. Unfortunately, a lot of companies procrastinate when it comes to rolling out updates. This leaves you vulnerable to cyberattacks and exploits. WPscan reports that 90% of the WordPress vulnerabilities they’re tracking are plugin-related.
Besides implementing SSL certificates, what other security measures do you think are essential for websites nowadays?
Something that may get overlooked when setting up a website for a business or organization is protecting your domain and brand from being used in email-based phishing scams. One way to do this is by using email filtering and DNS-based security methods, including the following:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
These approaches allow you to specify who can or can’t send emails from your domain. This way, recipients’ email servers know that unverified messages claiming to come from your domain shouldn’t be trusted.
You also can display your organization’s legally registered logo by implementing Brand Indicators for Message Identification (BIMI), which takes your email branding to a whole new level.
What cybersecurity tools, in your opinion, will emerge in the near future? On the flip side, what technologies are going to fall off the radar soon?
A significant area of growth is in the zero-trust security sector with authentication tools and technologies. This is the concept that no one and nothing is automatically trusted – internal, external devices and users must undergo continuous authentication using tools that validate their digital identities.
While it’s not technically new, zero-trust is something that’s picking up traction with businesses and organizations globally.
Of course, something that’s further down the road is Post-Quantum Computing (PQC) and PQC SSL/TLS certificates. Modern SSL/TLS certificates rely on public-key cryptography (asymmetric encryption) to exchange critical data securely before enabling two parties to communicate via a secure, symmetrically encrypted connection. The concern here is that quantum computing will break public-key cryptography as we know it, rendering it useless against attackers. This is why the National Institute of Standards and Technology (NIST) has been working on coming up with quantum-resistant public-key cryptographic algorithms.
So, the goal with PQC SSL/TLS certificates is for them to bridge the gap between websites and systems that are PQC-enabled and legacy systems that aren’t. But the truth is that quantum computing isn’t happening quite yet. That rock is still kicking down the road until quantum computers are commercially available. So, yes, quantum computing is on the horizon, but it’s been on the horizon in discussions since the 1980s. It’s something every business should start preparing for but shouldn’t freak out about.
Share with us, what’s next for The SSL Store?
We plan to keep growing by offering more and better ways for customers to protect their websites and data against hackers. For example, we’ve recently added SiteLock to our lineup. This is a proven all-in-one package to protect small business websites. We’re also helping website owners display their sites’ security to users via Verified Mark Certificates (VMCs) and TrustedSite.