The findings come from joint research by MKB Servicedesk (SME Service Desk) and SIDN, manager of the .nl domain. The study analysed nearly 780,000 business websites with .nl addresses (excluding webshops). Out of almost 429,000 business websites that processed sensitive data, just over 367,000 (85.6 per cent) weren't using SSL encryption. (For comparison: 44 per cent of government websites now use SSL to make data unreadable for outsiders.)
A website with SSL encryption can be recognised by 'https://' in front of its address and by the padlock icon in the browser's address bar. If the site uses the most comprehensive version (EV SSL), the browser shows the business name in the address bar, within a green panel. So users can be sure who owns the website. Just 0.3 per cent of the business websites that process sensitive data are set up for EV SSL.
Under the Data Protection Act, any website that processes passwords, personal data or payment information has to be properly secured. The Data Protection Authority recommends using SSL or another modern encryption technology. In the last resort, the Authority can impose a penalty of € 4,500 on website owners that don't comply.
"The legal requirements about ICT security have been tightened up a lot," observes Willem Overbosch, Director of the enterprise platform MKB Servicedesk. "For example, since the start of 2016, the reporting of data breaches has been mandatory for businesses. Yet, just over a year later, many entrepreneurs don't really know about the new rules, or have no idea what's expected of them. So we have greatly increased our efforts to draw attention to the issue."
All Dutch webshops – of which there are now more than 80,000 – use SSL certificates for their payment facilities. "That's because the organisations that handle the payment traffic insist on it, of course," points out Michiel Henneke, Marketing Manager at SIDN. "However, only 3.3 per cent of them are using the extended type, as indicated by the green address bar panel. Consumers are getting used to the idea that the green panel means security and tend to prefer using webshops that have that."
For some time now, Google has 'penalised' websites that don't use the SSL protocol by showing them lower down in search results. And, since 1 January of this year, browsers such as Chrome and Firefox explicitly warn of an 'insecure connection'. However, nearly all visitors simply close the warning and carry on. "If as a business you invest a lot in making your site easy to find, it's a great shame to lose trade for want of the right kind of security," stresses Willem Overbosch of MKBServicedesk.nl. "Especially since enabling encryption is very straightforward and costs very little. Some service providers will enable it for free. So there's no longer any reason not to get your security in order."
|DV SSL (Domain Validated SSL)||The most common type. Secures only traffic between a website and a visitor.|
|OV SSL (Organisation Validated SSL)||Like DV SSL, but the identity of the applicant is checked as part of the application process.|
|EV SSL (Extended Validation SSL)||The most recognisable type. If in use, the website has an obvious green bar at the top and the applicant's business name is prominently displayed. The application process involves detailed checks on the applicant's identity and authorisation.|