Everyone’s asking for personal information these days. Passwords. Credit card information. Employment history. Mothers’ maiden names. But what are we really asking for when we do this? Sure, we want that information so we can get a new subscriber, follow up with prospects, and make a sale…
But what it ultimately boils down to is trust. We’re asking our website visitors to trust us in taking that next step. And do you know what Google says to that? If you don’t have an SSL certificate by January 2017, you can kiss that trust (and, most likely, conversions) goodbye. SSL (and HTTPS) are just the tip of the iceberg when it comes to website security, but Google’s directive has us moving in the right direction.
In this article, we’ll discuss the risks your visitors take when visiting insecure websites, what role SSL, trust marks, and other security measures play in establishing visitor confidence, and how that consumer confidence eventually leads to more conversions.
The Connection Between Security and Conversions
Creating a secure online environment for your visitors (and soon-to-be customers) is one thing. Being transparent about how you’ve secured your website is another. If you’re wondering why you need to actually show your visitors how you’ve secured your website, take a look at these statistics:
- In a survey from Actual Insights, 61% of respondents “had not made a purchase because no trust logos were visible, while 76% hadn’t because they didn’t recognize the logo.”
- According to GlobalSign, 77% of people are concerned with someone stealing their information online. 55% are worried about their identity being stolen.
Your visitors want proof you’ve provided a safe place for them to share their information. There are a lot of people interested in making purchases, reading blogs, and signing up for services online. But this same desire often goes hand-in-hand with the growing fear of what it means to fill out a form, apply for a job, or pay with a credit card online. So it’s up to you to put your visitors’ fears to rest. Think of it like any other promise you’d make on your website:
- Free shipping when you order $50 or more.
- We’re more than just an advisor. We’re your partner.
- Guaranteed to be the competition’s prices, or we’ll refund you the difference.
Security is the same way. While a blanket statement about protecting their privacy is good, it’s not as meaningful as hard proof that you’ve taken action toward securing your website—especially if you can leverage well-known and highly trusted brand names in the process.
Technically, the green “secured” marker in the address bar of a browser window is a trust seal, too.
According to this Symantec report: “Simply put, SSL Certificates are very effective in protecting data in transit. In fact, according to some calculations, it would take about six thousand trillion years—or about a million times longer than Earth has existed—to crack a 128-bit encryption on SSL Certificates with a brute force attack.”
If you haven’t heard of SSL before, it stands for Secure Sockets Layer and it refers to an extra level of encryption standing between the server where your website resides and a visitor’s browser. Visit a popular e-commerce website like Amazon’s and take a look at the address bar in your browser.
Thanks to SSL, there are three forms of security proof right there in the site’s address:
1. The “https://” before the URL. HTTPS is the secure version of HTTP.
2. The letters “https://” are in green. (Green for good. Green for go.)
3. There is a safety lock before the web address.
While you might not think that’s a big deal, if you’re handling sensitive customer information (i.e. social security numbers, credit card payments, etc.), it’s safe to assume your site’s visitors know to look out for that green indicator. And, if they weren’t aware of it before, Google’s on a mission to make sure they do starting in 2017 (at least in the Chrome browser).
Depending on who you get your SSL certificate from, you may also receive a trust seal (typically, an icon with their logo) that you can place on your site. Security providers like McAfee (79% of people recognize this specific seal), Verisign, and secure payment providers have trust seals you can use as well. Here are just a couple examples of how trust seals helped instill more confidence in website visitors:
- According to A/B testing conducted by com, adding the McAfee security seal to their website resulted in 2.7% more conversions than without it.
- After Blue Mountain Media applied a VeriSign seal to their signup form, Google Analytics showed an increase of 81% in signups.
As you can see, trust is a lot more than just assurance from a business. It’s about transparency, too. Your customers need to feel confident that their best interests are your number one priority—and security plays a major role in that in this digital age. If you want to get those conversions, you’ll need to do everything you can to gain your consumers’ confidence.
Does Your Website Trigger a Trust “Alarm”?
From your side of things, you probably feel content knowing that you’ve fortified your website through a number of security measures. But aside from seeing Google’s approval at the top of their browser window, or seeing a recognizable trust mark on your site, how can visitors really know that your site is a safe one to engage with?
Think about it from their point of view. Aside from the obvious trust seals, what more could you do to demonstrate that your site is stable, regularly monitored, and overall a trustworthy one? Think about the following:
- Does your site take longer than three seconds to load?
- Does a “mixed content” warning show up before visitors get on your site? (This means you have HTTP links or images on a website running on HTTPS.)
- Are there any broken links or images to be found on your site?
- Is the content written fluently in your visitors’ native language?
- Is your design looking dated?
- Have you included a valid phone number, email, and contact form through which you can be reached?
- Are there social media links present on your site?
- Do you regularly create new content on your blog?
There are a number of ways your site may possibly trigger a “don’t trust them” alarm. If you want your visitors to feel at ease with you, then you’ve got to remove any trace of doubt they might have when they go to click that Sign Up or Buy Now button.
The above “red flags” may not be a fair judgment on your site or business, but there are over a billion websites online today—many of whom set a very high bar. The ones your visitors are most familiar with (the Amazons, the Facebooks, the BuzzFeeds) keep their sites running at maximum capacity 24/7. In your visitors’ eyes, those fast-running, error-free websites are what secure websites should look like.
While the issues noted above may not have anything to do with security, they’re still problems that every website owner should take into consideration when trying to make visitors feel safe enough to share their information or make a purchase. Think of them like trust seals. Your visitors have a smooth and easy experience navigating your website, and, in their minds, that translates to you being a trustworthy entity to do business with.
Loss of Data. Loss of Trust. Loss of Conversions.
With article titles like ZDNet’s “These Companies Lost Your Data…”, it’s no surprise that online consumers are anxious about giving you their information. Let’s face it: it’s not just these scary headlines that strike fear in the heart of your site’s visitors either. The risks of dealing with insecure websites are well-documented.
Did you know:
- That when asked about their website’s security, 59% of Ponemon survey respondents “admitted to losing customers because they failed to secure the online trust established by keys and certificates”?
- That every time sensitive or confidential information is stolen from a company that it results in a loss of about $154 per piece of information?
- That 31% of customers cut ties with companies if they found them to have been negligent with their data?
Let’s take this a step further. Because although those statistics are disheartening, they don’t fully capture the devastating effects that website attacks have on businesses and their customers. While adding security layers to your website and providing proof of them will help visitors trust you, if you’re not actively staying on top of your security, you could lose their trust, conversions, and a whole lot more.
Independent business owners. Medium-sized e-commerce companies. And the well-known enterprise. It doesn’t matter who you are. Hackers won’t discriminate so long as you have something of value to them. Here are just some of the security breaches from recent history you should be aware of:
While it’s easy to label this victim as “Twitter”, in reality, the source of the breach was found to be Dyn, the Internet performance management company in charge of providing secure DNS servers to their clients. When the Dyn servers were attacked in the fall of 2016, Twitter, Netflix, Reddit, Spotify, and other major client websites went down, throwing a good portion of Internet users into disarray as they wondered what was going on.
The seven-employee, online toy company faced not one, but two website security breaches. The first was a DDoS attack that shut their website down completely. The second attack came in the form of ransomware, rendering their files and systems useless. It cost them thousands of dollars in sales as they spent four days rebuilding everything from scratch.
In another case of a small business victim, the skate park’s website was taken down by a security breach. Edward Pollio, one of the founders of 5050 Skatepark, said, “The attack caused havoc. People were asking if we were still in business. Not having a website is like being closed.”
In 2013, the online retailer learned through Discover (and, later, Visa and MasterCard) that customers had reported fraudulent activity on their credit cards, stemming from their website. Once they tracked down the breach, they had to inform 3,500 customers that their financial data was compromised and then they had to put a temporary hold on accepting credit cards through the website. All in all, the company lost about $200,000 as they attempted to build a new, more secure website and regain their customers’ trust.
The moral of the story is simple: security breaches are costly—and it doesn’t matter who you are or how large your business is. No one’s website is 100% safe.
That being said, businesses of all sizes stand to lose a lot if they let their security fall by the wayside. Businesses lose time in resolving data breaches, bringing their site back up after a DDoS attack, and answering customer inquiries about the incident. They also lose efficiency as their IT team shifts their focus from running the business to putting out security fires.
And the worst side effect? A single, documented lapse in security will leave you fighting to prove your brand’s trustworthiness for years to come. If you were worried about prospects or customers doubting your site’s security before, think about what happens when they have proof that yours really isn’t safe?
The 10 Website Security Tools You Need Right Now
Google’s nudging us in the right direction by penalizing or rewarding websites based on their use of HTTP/HTTPS in 2017. Let’s not stop there.
SSL certificates are an essential piece to every business’s security arsenal—but that’s the key thing to remember. SSL is just one tool out of many you should be using. Marketers would never plan their entire strategy around a single social media platform. Sales teams would never rely solely on making phone calls to convert leads. And business owners would never hire a single person to handle every aspect of their business’s operations, finance, marketing, sales, and administration. It’s just too risky and, to be quite rank, highly inefficient.
Website security is not an elusive concept that’s difficult to achieve. We know what hackers want (i.e. to harm our business and gain access to our customers’ confidential information) and we know where they’re going to strike. Knowing is half the battle. Now you’ve got to take action and fortify your site. And remember: the right types of security tools will not only protect your site, business, and customers, but, if used correctly, will help you increase conversions.
The following list will include security tools your website should be using as well as some tests you’ll need to ensure they’re working.
Security Tool #1: SSL Certificate
If you’re still not sold on this, here are four reasons why this needs to be one of your site’s security measures:
1. It’s super affordable (or free, if you get it from Let’s Encrypt).
2. Without it, your website’s URL will have an unpleasant “Not secure” note at the top of your visitors’ browsers.
3. Without it, you’re opening your customers up to a potential loss of privacy, identity, or money (and the time spent trying to recover it) if your site gets hacked.
4. Google currently penalizes websites that don’t use HTTPS by ranking them lower in search.
Most security solutions tend to focus on fixing one particularly weak part of your site: the admin page, the plugins, the comments, etc. An SSL certificate provides a more comprehensive block to a hacker trying to access your visitors’ information.
Security Tool #2: Automated Updates
Unless you’re working inside your website on a regular basis, you may not be aware of the various updates released by your content management system (like WordPress and Joomla) or the third-party tools integrated within it (like theme/templates and plugins/extensions). That’s why many people consider automating those updates.
Whether you’re aware of them or not, those updates still need to be made in a timely fashion. They usually contain a patch to a bug or some other insecurity found within the tool, and any time you waste in getting your system updated could result in your introduction of an insecurity to your website. Even though the root cause of the hack wouldn’t technically be your fault, your visitors won’t see it that way if their identity or security is compromised.
It’s also important to note that you should only use trustworthy content management systems and third-party tools to power your website. One of the best ways to tell if they are trustworthy is based on reviews from other users… and on how often they update their tools.
Core and tool updates keep your basic website’s health in check. They ensure that the code is clean, the glitches are gone, and breaches are plugged before anyone can find their way into your site.
Security Tool #3: Login Protection
There are a variety of ways hackers can crack into your website. One of the more common ways is known as a brute force attack. This is when hackers use as much firepower as they can manage to get in through your site’s login. Luckily for you, there are a number of ways you can reinforce the security of your login page and a variety of tools that’ll cover most of them for you in one fell swoop.
The key protectors you want to look for are:
- Captcha: You’ve seen this before. There’s a letter-and-number combination that needs to be typed out to verify you’re not a bot.
- Stronger password enforcement: Passwords can be annoying, especially when you have to create so many for all the online and desktop tools you use on a regular basis. If you’re trusting someone to access your site though, you’ll want to ensure they’re using password generation best practices (letters, numbers, symbols, etc.)
- Two-factor authentication: Two-factor authentication is another way to enforce better login practices, only this time you’re requiring users to verify their unique identity, typically with another device.
- Admin URL: This is a particularly important one to make note of if your website runs on WordPress since the default admin URL ends in /wp-admin/. If you leave your website’s login at that URL, you’ll just make it easier for hackers to force their way in.
Every content management system is different, but most will offer a plugin or extension that offers these login protectors.
Security Tool #4: Payment Gateway Security
For anyone who accepts payments online—e-commerce companies, SaaS providers, non-profit organizations, freelance service providers, and so on—your payment portal may be the weak link that gets you into trouble.
If you are in the business of making sales online, then you’re no doubt familiar with payment gateway providers like PayPal and Stripe. With built-in security systems, these tend to be the go-to providers for e-commerce (on top of the standard credit card payment processors). But what if you don’t want to deal with those fees or you want a provider that works better for customers in a different geographic location?
Your customers trust you to provide a safe means for them to share their financial information. Never sign up for a third-party provider (payment or otherwise) that has not been fully vetted by the BBB or that has been flagged for previous security infractions.
Security Tool #5: Spam Control
This one usually doesn’t get talked about a lot because it’s not the most obvious place you’d think your visitors’ security would be compromised. Unfortunately, the comments section of a website can pose a security risk if it goes unchecked.
Comments on your content are great, but not if they come from someone intending to infect other computers or to hack their way into someone’s personal information through a link. You’ve probably seen it before, too. A comment comes through talking about what a beautiful website you have and how people should follow this link so they can see more information on related services.
As a general rule, never allow a comment like that to hit your site. You can’t afford to have one of your visitors click through that link and be subjected to any possible harm because of it. One of the easiest ways to do away with these is to use a spam blocker like the Akismet plugin.
In the off chance that someone finds a way to get a malicious spam comment on your website, you’ll want to implement this simple blocking solution. Akismet also lets you know if there’s been a malicious login or spam comment attempt, so keep your eyes peeled to this plugin so you’re aware of any major breach attempts as they occur.
Security Tool #6: Backup
You should have a backup of your site made regularly for the sake of always being able to roll back to a previous version if something should go wrong. You never know if the source of the problem will be user error, a faulty third-party integration, or something malicious. Either way, you’ll want to always be prepared.
Distributed denial of service attacks (or DDoS) are one of the big reasons why you’ll want to do this. That and ransomware. These are two of the more severe forms of security breaches, and they can have devastating effects on your relationships with customers if they find that your site isn’t available (much like the Netflix example above).
By having a backup stored off-site, you can bypass any threat to your site and get it back up in no time. It also keeps you from having to spend money and time rebuilding your site completely from-scratch, leaving customers to wonder if it’s worth it to return to you when it’s back online.
Security Tool #7: Hosting Security Service
Web hosts are a particularly useful resource when it comes to security. When you signed up for your hosting account, you probably were asked if you wanted to get a security add-on for it. If you passed on that offer then, you’ll probably want to reconsider that now.
Hosting service providers offer the promise of giving you a secure server from which you can run your site, but even they know that’s not enough. That’s why the more reputable providers will provide firewall, monitoring, and backup add-ons in the case your site does face a security threat.
Security Tool #8: Premium Security Service
If you’re already short on time, you may want to think about handing the reins of your site’s security over to a security services provider. It’ll cost you money, but it’s worth it if you have a high volume of visitors that you need to protect.
There are a number of premium security services companies that can help you with this (Sucuri being one of the most well-known). The form of protection they each offer will vary as will your site’s unique needs. In general, these professionals can help with the following:
- Managing system and third party updates
- Monitoring for security threats
- Backing up your site
- Adding firewalls
- Cleaning out any infections from your site
- Cleaning up and repairing your site after a threat
While you may be concerned with the price tag associated with all this website security, go back to those website breach examples from earlier. What may cost you some extra time and a little bit of money now could prevent you from losing unrecoverable funds and customer trust in the long run.
Testing Tool #9: Google Analytics
If you’re not already spending time thoroughly reviewing your site’s analytics with Google Analytics, then you’ll want to get on that now. It’s an excellent first line of defense when it comes to identifying issues on your website. While it might not provide you with detailed accounts of who tried to break into your site or steal your customers’ information, it will tip you off to when something’s wrong in the intersection between trust and conversions.
Here are some of the spots you should pay close attention to to make sure your security efforts are working:
- Bounce Rate: If this number is a lot higher than usual, you may be experiencing a major onslaught of hackers trying to break their way in. Or there may be some sort of trust alarm sending visitors running in the opposite direction.
- Behavior Flow: If you’re seeing the expected customer journey pathway in the Behavior Flow, but there seems to be an immediate dropoff at your conversion point, there’s something wrong there. Either something’s interrupting their experience or there’s a break in their trust keeping them from converting.
- Page Timings: A slow-to-load site is not only bad for your visitors’ short attention span, it’s also a clear indicator that your site isn’t optimized… or there’s something wrong with its security. If your page timings exceed three seconds, check out the Speed Suggestions tab below this one for ideas on how to fix your problems.
- Goals: You’ll need to establish a number of goals or milestones here before you can use this section. Once you do though, this is going to be a crucial piece in monitoring your sales funnel performance and identifying any glitches along the way.
- Ecommerce: For those of you running an e-commerce website, you’ll want to enable this functionality as well. While goals will tell you when people have completed a certain number or type of actions, Ecommerce will report on your sales success. So if you want to see if your use of trust seals are affecting conversions, you’ll want to come here.
Testing Tool #10: A/B Testing
Now, if Google Analytics is your first line of defense, then A/B testing is your first line of offense. Once you have an idea about a problematic area of your website, you can use A/B testing to confirm your theory about how to fix it. This is also a helpful tool when it comes to testing out your visitors’ propensity for converting more when trust seals are clearly evident on site.
If you’re unsure of how to use A/B testing or how to tie this into your site’s security plan, be sure to check out this post on How to Build a Strong A/B Testing Plan That Gets Results.
By now it should be obvious. Not only should you want visitors to trust you, but you absolutely need them to. While there is the potential that your site may never be attacked, you could still be losing sales if you don’t have the proper security measures (and trust seals to prove it) in place. And, to complicate matters, Google’s crusade against the HTTP website starts very soon. You can’t afford to let a lapse in security—something that’s relatively easy to fix—or the proof to back it up affect your business.
People wouldn’t be on your website if they weren’t interested in what you were selling. Give them a reason to trust that they can make a purchase, both securely and privately.
Nathan Oulman owns and operates Dailyhosting.net which focuses on web hosting conversions, and web hosting tools.