So, if you’re starting an online business, no doubt someone…somewhere…has mentioned “SSL”. It may have been in a casual, inquisitive manner, or it may have been a more frantic “you got a SSL certificate, right? Oh…you HAVE to get a SSl certificate or all of your customer data will be stolen!”

The purpose of this post is to allay some of the fear and uncertainly about SSL and give a short primer on what it is, what it means, and what the differences are between the various alternatives.

SSL – What Is It, and Why Do I Need It?

Put simply, a SSL certificate is used to create a secure, encrypted link between a person’s browser and the web server used to host the page they’re on. The encrypted connection ensures that any data that is transferred from the browser to the web server – for example, when someone fills out a form – remains private during transmission. The certificate is provided by a “Certifying Authority” (CA) like VeriSign or Trustwave (though there are many others), and is most commonly associated with the lock icon that appears in the browser window when someone visits a secured page.

SSL is important because it gives visitors to a secured page of your website “peace of mind” knowing that the information they are inputting on that page is encrypted and not traveling in plain text. Therefore, the potential for that data to be usable should it fall into the wrong hands is greatly, greatly reduced.

What Types of SSL Are There?

Shared SSL
This means that your hosting provider has (usually) purchased a SSL certificate that can be used by multiple people. This generally works by attaching the SSL to a generic domain (though some hosting providers use their own domain), then providing customers with a path to use for encrypting the connection for their individual sites. An example of a shared SSL path would be https://www3.ssldomain.com/customer-domain-name/page-name.html.

Great For:
1. New sites just getting started.
2. Basic forms.

Not So Great For:
1. Ecommerce
2. Any form asking for extremely personal information (e.g., social security number)

Dedicated SSL
This is where you purchase a SSL certificate for YOUR domain. The pathing for secured pages when using a dedicated SSL certificate is really not different than any other page of your site, except for the “S” – https://www.your-domain.com.

Great For:
1. Any use – form information, credit card purchases, FTP access – anything you want to secure and encrypt on your site.

Not So Great For:
1. Some may argue larger scale purchases (in the tens of thousands of dollars), but that’s just because there is an alternative, and it is….

Extended Validation (EV)
This is a new type of SSL that entails a greater degree of authentication and validation by the CA. The benefit to an EV certificate is that the CA has to go through many more steps prior to issuing an EV certificate. Some of these steps entail a physical visit to the requestor’s location and a signed letter by an executive of the company (usually a CFO or some designee); therefore, quite a bit more than is needed for a standard SSL certificate.

Great For:
1. Large ticket items, generally in the thousands of dollars per item.
2. A company wanting to prove its commitment to security.

Not Great For:
1. Anyone without deep pockets. As this certificate entails a bit more labor on the part of the CA, they are a “bit” more expensive.

Finally, a quick word on “Premium” and “Enterprise” SSL certificates. Some companies sell different levels of certificates, and they’re usually labeled something like “premium” vs. “enterprise”, or even “enterprise” vs. “premium enterprise”. The difference between these certificates generally comes down to bit level encryption and/or level of warranty provided by the CA. The CA may even attach some identification scheme to prove the level of security offered, add scanning services, real-time authentication, etc. There are pluses and minuses to all of this, so use your best judgement when deciding what you want to pay for. A good, solid SSL certificate issued by a reliable provider is fine for most companies. If you really want to prove your level of commitment, then adding services is a good idea and may be worth the additional cost.

So there you have it: a decent primer on SSL. This is, of course, not a complete breakdown of SSL, much less a discussion of the technology behind SSL. So, if you have additional questions, please feel free to ask us – we’re here to help! As an aside, Newtek Web Services provides a dedicated SSL certificate on our Storefront Builder plan, and SSL can be added to the Website Builder or any custom site build.

Here’s something to think about:  At this very moment, cybercrooks are aggressively targeting small businesses and looting their bank accounts.

According to the FBI, hackers targeting small businesses, non-profits, and other small organizations have attempted to make off with about $100 million in fraudulent transfers so far.  It’s getting bad enough that both the feds and the American Banking Association are now advising businesses to use a completely separate PC just to do online banking with.

Here’s what cybercrooks are doing:

Through phishing scams or malware attacks—both usually initiated via email—cybercrooks attempt to capture your online banking credentials, then use that to log in and obtain the information they need to transfer money out of your account, often through ACH or wire transfer.

Unfortunately, the reason hackers are aggressively targeting small organizations is simple. Small businesses are much more likely to lack the controls or have the resources in place to safeguard against these types of attacks when compared to larger organizations.  But there are still effective measures you can take to protect your business.

5 steps you should take right now

1.  Educate your staff – Let your team know about this threat, and educate them about the importance of simply paying attention to the emails they open when on company computers.  Luckily, spam is more often than not easy to spot, and recognizing obvious spam, and deleting it, should be your first line of defense.

Also, take a look at this Biztech article on phishing.  It provides a pretty good overview of what phishing is and how to avoid falling prey to it.

2.  Keep your antivirus up-to-date – Is your antivirus subscription up to date?  Is it installed on all of your company workstations?  Does your antivirus software scan emails, and, if so, is that functionality activated? If an infected email attachment is inadvertently opened, an up-to-date antivirus scan will usually be able to detect it.

3.  Monitor you bank activity – Most banks allow you to set up alerts, either by email or text message, whenever a certain type of activity occurs on your account.  If an unauthorized bank transfer is detected quickly enough, your bank may be able to stop it in its tracks.

4.  Manage your passwords – If malware is detected on any of your workstations, it might be a good idea to change ALL of your passwords.  Do you have a system in place to document and manage all of your online accounts?  If you’re going based on memory alone, you’re bound to forget one when the time comes to change them all.   You may also want to look into acquiring a password manager.

5.  Protect your important data – You may want to seriously consider the FBI’s advisory to use a dedicated PC to do all of your online banking on.  Whether or not you decide to go this route, it’s also a good idea to always have a back up all of your important data. A data backup, storage, and retrieval plan is not just protection against hardware failure.  In the event any of your systems are compromised, the best solution is often to roll back the system to a pre-attack state, or to reformat the system and restore the important files to it.

What is your business doing to protect itself?  Does your business have any other security practices you’d like to share?  Let us know.