Data security is more important than ever for businesses, yet there is a noticeable gap in law firms’ foray into website security. In fact, large law firms’ websites have only recently started the conversation. Most firms’ website data is transferred between a server and users’ browsers via Hypertext Transfer Protocol (HTTP). This data is typically transferred as plain text, which can be easily intercepted by an attacker.
E-commerce sites have long used the more secure Hypertext Transfer Protocol Secure (HTTPS) protocol, which encrypts all communication between browsers and websites, to protect credit card and personally identifiable information (PII). Corporate and government websites are now moving to the more secure HTTPS protocol as well.
This delay among law firms can be attributed to a number of reasons. First, law firm websites don’t interact directly with consumers the way other companies’ sites might, so the information they handle may not be sensitive enough to make encryption an obvious choice. By the same token, when a law firm’s site is breached, the violation is not always publicly reported. With so many data security concerns going unaddressed, taking steps toward enhanced security at every level is essential.
Implementing HTTPS to deliver encrypted content is quickly becoming a data security best practice. Earlier this month, it was announced that all government websites are required to use HTTPS, and law firms are quickly following suit. For many IT teams and legal marketers, however, the decision to switch can be confusing, especially if they don’t know which factors to consider.
The Cons of HTTPS
The move to HTTPS — although an important step toward data security — may not necessarily be right for every firm. There are also a few stumbling blocks to HTTPS implementation.
One issue associated with HTTPS is that pages may load slower, depending on the visitor’s Internet connection and the browser or device being used. Specifically, corporate-controlled website proxies often don’t cache HTTPS content, so corporate users accessing sites through those proxies will experience slower load times in offices with limited Internet bandwidth.
What’s more, HTTPS services are computationally intensive and require additional server load, which may or may not be billed additionally by the service provider, and annual server certificates must be registered (for a fee) for each domain and secondary host name. Lastly, content caching strategies that are already in place will need to be tested to make sure they work well with HTTPS.
Any combination of these issues may be enough to make a law firm second-guess whether HTTPS implementation is right for its website.
The Pros of HTTPS
Having said that, moving to HTTPS does bring with it many benefits. And in most cases, the pros of HTTPS implementation still outweigh the cons. Moving to HTTPS is also a precursor for employing the newer SPDY web communication protocol (used to reduce page load time and aptly pronounced “speedy”) and for ensuring that law firms are prepared for when HTTP/2 becomes widespread later this year.
Until HTTP/2 becomes standard, however, there are a few items that will still entice law partners to transition to HTTPS. Legal marketers will be happy to know that Google boosts the page rankings of HTTPS-encrypted sites and that Extended Validation Certificates allow for enhanced branding by including firms’ full names in the browser address bar.
Additionally, visitors to a law firm’s website will no longer have to worry about whether the information they find is actually provided by the entity named — HTTPS cryptographically authenticates the provided documentation. Visitors will also have complete privacy when accessing sensitive information, and the encrypted site traffic will prevent middlemen from injecting or altering website content on most networks.
Steps to Take Before Implementation
As law firms begin to move to HTTPS, firms that have not yet made the switch may be perceived as caring less about their visitors’ privacy and data security than those that have. Law firms need to carefully consider whether their sites could benefit from a boost in data security and whether HTTPS is the direction they want to go.
If firms do decide to move forward with HTTPS implementation, they need to take a few considerations into account.
First, they’ll need to coordinate the creation and signing of a security certificate for the desired domain. Secondly, firms must ensure that at least a 2048-bit key is used and that the latest HTTPS security issues, such as POODLE and Logjam, are accounted for. Lastly, firms need to review their sites for any content that may need to be updated in order to be served via HTTPS (e.g., flash animations, third-party content embeds, social media icons and tools, website traffic analytics, etc.).
Additionally, Transport Layer Security (TLS) has recently replaced the insecure Secure Sockets Layer (SSL) as the de facto cryptographic protocol of choice for HTTPS websites. Relaunching firms’ websites on HTTPS makes encrypting data transfer between the visitor’s browser and the server using TLS an absolute necessity, so be sure to configure your systems for TLS when moving to HTTPS.
Law firms need to be aware of the growing need for strong data security and user privacy and take the necessary steps to keep up with their competitors. Even sites that don’t handle sensitive information should still consider the risks associated with unencrypted communication between the browser and the site or the application and the user.
Whether a law firm decides to switch to this encryption method or not, the fact that stakeholders are weighing the options already means they’re thinking about their clients. Taking HTTPS into consideration will help any law firm decide where it’s headed for the future.
This article originally appeared in Bloomberg BNA.