In talking to university internal auditors recently about higher education websites and the risks they present the discussion quickly focused on security issues, skipping over all the other exposures they pose.
A general area of attention is the migration of sites to secure HTTPS connections, as this seemingly ‘technical’ transition overlaps with general cybersecurity concerns. And, a more specific aspect of this upgrade is how well has HTTPS been implemented?
We can now answer that question.
Frankly, by now, all higher education institutions should have upgraded or should be upgrading all their websites to HTTPS connections.
There are two completely non-technical reasons for moving HTTPS: trust and privacy. HTTPS’ underlying technology SSL ensures that website visitors can trust sites and browse without being intercepted by third parties. These are two characteristics that improve the visitor experience and are commensurate with the trusted status to which higher education institutions aspire.
Implementing HTTPS across an entire institution and its constituent websites can be complex, but it isn’t expensive. Free SSL certificates from Let’s Encrypt mean that ongoing maintenance costs are no longer an implementation barrier.
How’s Everyone Doing?
For the first part of our risk assessment, we took a snapshot of the current state of HTTPS implementation across higher education institutions in Australia, Canada, Ireland, New Zealand, United Kingdom and the United States.
This exercise shows that 2/3rds of higher education institutions still need to roll out secure connections on their main websites. (BTW – please get in touch if you’d like to work with us on capturing this data for other jurisdictions).
Here is the overall HTTPS implementation rate across the main websites for 4,310 higher education institutions in six countries:
Graph 1: Sample of 4,310 higher education main websites showing the proportion of sites using HTTPS. Data collected 16-18 August 2017.
And, here is the HTTPS implementation rate for the main websites of higher education institutions in each of the six countries in our survey:
Graph 2: Sample of 4,310 higher education main websites showing the proportion of sites using HTTPS for the six countries in the survey. The UK shows the highested adoption rate at 42%. Data collected 16-18 August 2017.
Visitors to higher education websites cannot connect securely unless HTTPS is in place.
For the second part of our risk assessment, we tested the ‘health’ of those sites that have implemented HTTPS.
We ran each site through SSL Labs’ battery of HTTPS tests. To avoid getting too techie – as HTTPS’ rationale is trust and privacy, not cryptography – we simply report SSL Labs’ letter grade for each implementation: from A+ to F.
For the 1,443 websites that have implemented HTTPS we saw the following overall grading of the HTTPS implementations:
Graph 3: Sample of 1,443 higher education main websites using HTTPS subjected to SSL Labs' SSL test to measure the 'quality' of the HTTP implementation. Data analysis 19-21 August 2017.
And, here is the grading for HTTPS implementations for the main websites of higher education institutions in each of the six countries in our survey:
Graph 4: Results of 1,443 higher education main websites using HTTPS subjected to SSL Labs' SSL test to measure the 'quality' of the HTTP implementation by country of origin. Data analysis 19-21 August 2017.
Generally, the required HTTPS implementation quality level can vary with the function of a website. However, as trusted institutions, universities and colleges should aim to be A or above. Our survey shows that 1/3rd of institutions fall below A grade and ten percent fail outright.
We encourage you to run your own test using SSL Lab' free service (and check the: 'Do not show the results on the boards' option).
To provide some general benchmarks for the higher education community we tested the home pages of 4,310 higher education websites in six countries to determine if these sites had implemented secure connections so that visitors can trust they are visiting the 'legitimate' site and be assured that no third party can view their browsing.
The results are important for two main groups that ‘touch’ higher education websites. Marketing and communications departments should recognise that HTTPS says:
- You are paying attention to Google’s security and search engine optimisation recommendations
- You care about the trust and privacy issues that concern website visitors
- You are mitigating potential website exposures as delaying HTTPS implementation presents a reputational risk
At larger higher education institutions, without central website control or multiple content management systems or fragmented hosting arrangements, information technology departments need to:
- know all the sites for which they have technical ownership, and
- ensure that each HTTPS implementation has an A grade or better
After all, visitors to higher education institution websites do not distinguish between the different sub-sites they visit and they deserve consistent security while browsing.