Hadleigh-based web development firm Free Rein issues warning over progress towards GDPR compliance

New regulations on data protection
come into effect next May.
Picture: Sonya Duncan

New regulations on data protection come into effect next May. Picture: Sonya Duncan - Credit: Sonya Duncan

Businesses are making little progress in improving online security ahead of new data protection rules coming into effect next year, according to a Suffolk web development and digital marketing firm.

Andrew Johnson of Free Rein.
Picture: Free Rein

Andrew Johnson of Free Rein. Picture: Free Rein - Credit: Archant

And the lack of urgency shown so far is about to become clearer, says Andrew Johnson of Hadleigh-based Free Rein, with the widely-used Google Chrome browser starting to flag relevant pages as “Not Secure”.

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, imposes new requirements for the corporate storage and processing of personal information, with breaches potentially resulting in fines of up to 4% of turnover or 20m euros, which ever is greater.

Free Rein began been conducting passive testing of websites since June this year, since when the proportion of UK sites found not to be secure has barely changed from around 70%.

Mr Johnson says part of the problem is that many website owners wrongly believe that SSL encryption certification is only required for transactional websites when, in fact, it is needed for any site with fill-in forms.

As of today, he adds, Google Chrome is due to start highlighting uncertificated pages that can be filled in as “Not Secure” in the address bar.

“Another misconception is that ‘only the contact page is not secure’. This is also not true,” says Mr Johnson. “You cannot have an insecure contact form and the rest of the website secure, because a contact form becomes secure by having valid SSL certification for the website.”

Most Read

More than one third of problem sites are not secure solely due to invalid SSL certification, often because the certificate is in the wrong name, he says.

Other security issues can include username and login name visibility, user enumeration (where attackers are able to see usernames and logins by performing scans), the use of blacklisted IP addresses and vulnerability to “Poodle” attacks (where a server complies with a rogue request to downgrade its security protocols).

“In summary, it is now the time to secure your website by getting it locked down,” adds Mr Johnson. “It could be a challenging time for many businesses if their potential clients are deterred from submitting enquiries due to forms on the website stating: ‘Not Secure’.”