This week’s post was written by Ray Sidney-Smith of W3Consulting, social media consultant and facilitator of the monthly Roundtable for the Alexandria SBDC.
When Google makes changes to its algorithm, technologists and the media take notice. Google is the Search Engine juggernaut responsible for giving you the answers to most of life’s major and minor questions. “What’s the meaning of life?” Google answers, “42.” (If you don’t get the reference, read The Hitchhiker’s Guide to the Galaxy by Douglas Adams.) “What is the square root of 345?” Google calculates this as fast as you type the question with, “18.574175621.” Aside from these Google Search hacks, it provides the world with 11.944 billion searches monthly to direct users to information, products and services. This constitutes 75.2% of the United States search market (and 87.1% of the U.S. mobile search market, where most searches take place today)1. In August 2014, Google announced that it was starting to use your website’s security configuration as one of the factors in ranking your website on Google’s search engine results. If you have the correct setup, you won’t be penalized by Google and suppressed on its Search Engine Results Page (SERP). So, in this case, Google made a change to its algorithm…and now small business owners need to take notice.
What Matters to Google Are its Users, and What Matters to Google Matters to Small Business
Google doesn’t often make too many demands of small business websites. It actually goes out of its way to index and show those websites even when most small business websites themselves are actually poorly constructed in the way Google would prefer them to be. After all, their mission is “to organize the world’s information and make it universally accessible and useful.”2 You can’t do that without scouring websites that can be unsavory, disorganized and sometimes dangerous (i.e., loaded with malicious software). It’s because of this, many computers–your business computers, Web servers where your websites live, and your customer’s computers–are susceptible to being infected by viruses that can be spread to others.
For years, this problem has proliferated and Google users were empowered to report anything that was suspicious about a website that would make Google Search anything less than a quality experience.3 This makes sense as a Google user, that if I have a poor user experience because of spam websites or malicious attacks on my computers, I will stop using Google. And, then a lightbulb went off over at the Googleplex to help Web publishers (i.e., you) secure the data transferred between users and websites they visit from Google Search. A website that secures the data inputted and transferred from their Web host “builds user trust”4 and users who trust Google-referred websites stay happy Google Search users. It all comes down to making Google users contented with safe content so Google will continue to send your business website traffic. Let’s learn a little bit about the mechanics and how to make this Web security happen.
Website Security 101
When you are browsing the World Wide Web, you are doing so by a connection to the Internet through your Internet Service Provider (ISP). The World Wide Web itself is merely a small portion of the Internet that’s public and available to mostly everyone in the world. They are connected by links to and from other Web pages and files that can be downloaded. When you browse to a website, you’re actually downloading a series of files that are displayed in such a way that you can consume the information or interact with it. You see this happen usually, instantaneously, and seamlessly through a Web browser like Internet Explorer, Mozilla Firefox, Google Chrome and/or Apple Safari. The magic happening in the background are hundreds of thousands of lines of Web programming code swimming around Web servers, routers and other hardware, and your computer or mobile device. It’s along this river of information that malicious programmers create programs that lurk in the background to take unsuspecting Web-goers by surprise. It’s as disgusting as a gun-wielding criminal in Central Park, waiting in the bushes after dark to steal your wallet or cellphone, or worse. But, there are things we can do to protect ourselves and our website visitors against these would-be attackers.
From the dawn of digital technologies, there were concerns about privacy and security and so there were people who built protocols for protecting our binary lives. Today, we have several security options (Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Web protocols). Using the prior analogy, it would be like walking through Central Park and having two police escorts with you along the path letting ne’er-do-wells know that you’re protected and they should stay hidden in the bushes. Enabling these security protocols verifies with an independent, trusted third party that you (as a consumer) are connecting to the website you intended to. Then, it enables that data to be transmitted to and from that website in an encrypted mode.
Encryption can be really complicated and confusing, but in its most basic form, encryption is changing the data to a format a would-be digital villain cannot understand. So, to give an example, let’s take an analog situation. You want to send a secure message to a friend. You swap around the vowels and consonants of the English alphabet, write a letter using this new combination of alphabet, and then you create a chart showing the normal alphabet with your version next to it (a “cipher”). To transfer the message, you give your friend the letter in its encrypted form, and separately you hand the cipher to that friend so they can translate your encrypted messages easily (and future messages perhaps). In the Web world, we have many different strategies similar to this. We add characters, we swap them and several other methods, in order to make sure that someone intercepting that data sees nothing but gibberish and cannot decipher the encryption algorithm.
By enabling SSL or TLS on your website or Web application, in essence, you’re taking advantage of these security techniques for your Web visitors. These visitors to your websites are potential, current and past clients who you don’t want to distrust you, or worse, be infected by malicious software by visiting your website. Again, this makes Google happy because it makes Google users happy.
Note to Government Contractors
Having a secure website is particularly important for anyone hoping to contract or be a subcontractor with the Federal government. Agencies and most large primes, particularly those in the defense and intelligence arenas, are automatically blocked from viewing any website that is not secure. If you do not have a secure website you will be invisible to them.
So, what does this all mean on a practical level? To start with, you will need to obtain an SSL certificate with your domain registrar / Web hosting service (also known as a “CA,” for Certificate Authority). If you don’t know who that is, just type “whois.net/whois/” (no quotation marks) followed by your domain name/URL (e.g., “whois.net/whois/alexandriasbdc.org”) and it will give you some information to lead you to know who you are registered with for domain services. Once you know who your domain registrar is, you will need to purchase a SSL certificate (approximately $30-40 per year). You will be asked to generate a Certificate Signing Request (CSR). This is a bit of code that your server will create that hosts a public key for the SSL certificate; the private key that will also be generated should stay private only to your business.5 Again, don’t share that private key with anyone. After you have produced your CSR, you’ll hand that over to your domain registration service and they will issue you the SSL certificate, and then offer you instructions to apply the security configuration to your website. Every website domain/hosting service is a little to drastically different, but they should provide you with detailed direction to make that happen. You will know you are successful when your website loads with a lock symbol next to your domain name in any Web browser and it shows a HTTPS (secure HTTP) instead of HTTP (not secured) in the URL field.
Subsequent to initializing SSL on your own Web domain, you should now be able to browse to your website and see a lock symbol. This shows you are secure in your data transfer between you and the server, but this is not where the process ends unfortunately. Finally, you will need to make sure all your links to and from your website are themselves HTTPS links (meaning they too have SSL certificates). There are tools for doing this, but I would recommend that you call your Web hosting service and ask them if they have an internal tool for speeding up the process.
After all is said and done, securing your website is not just for Google. It’s so that you are secure in your business data on your website, your customers and Web visitors are safe, Web criminals are discouraged from continuing their malicious efforts, and in the end, this means a safer Internet, and hopefully more business sales for you.