Why do so many tour operators have poor security on their sites?

As part of our market research, we’ve found there’s a surprisingly large number of tour operators with poor online security​

It’s amazing that in 2020 anyone is running an insecure website that’s built for sales. When you visit these sites your browser warns you that the site isn’t secure, or won’t even let you access it. But, incredibly, during our market research, we’ve spotted that 15.1 per cent of the tour operator sites we looked at are working with insecure connections.

That means 3 in 20, almost one in six, are leaving their customers’ details in public view. And it’s not limited to small operators with old sites. Big players have problems too.

This is astounding because almost all hosting providers now provide free and easy-to-use security tools.

All of Ventrata’s websites are fully encrypted, as are all of our servers, to ensure our clients’ and their customers’ information is secure. Find out more here

Why is it important to have online security?​

The main reason is simple: to protect your visitors’ information. If you’re missing an SSL certificate, or it’s invalid, then people can skim all that data — including their bank details — with ease. An SSL certificate makes that impossible by encrypting the information so it can only be read by your site and a customer’s computer.

To accept payments online, you must have a valid SSL. It’s part of the PCI security standards as set up by American Express, Discover, JCB International, MasterCard and Visa. It also verifies your online identity, which makes phishing through fake sites more difficult, and improves your SEO ranking. Google has boosted sites with SSL security since 2014, and actively stopped users from visiting sites with poor security since 2018.

Finally, if a customer visits your site and sees that they might have their details stolen — or worse, they’re blocked from accessing it — then there’s a very high chance you’re not getting their business.

The numbers​

First we should note that we don’t believe these figures are fully representative. They’re based on a sample of companies that Ventrata is interested in and not all tour operators in the regions we examined. More work should be carried out with a methodological study by a disinterested party.

However, of the 364 operators we looked at in Australia and New Zealand, 55 had poor to woeful online security. That’s 15.1 per cent. These ranged from sites simply not having a redirect from the insecure http version of their site to the secured https site, to sites having no SSL certificate installed at all.

Of the 55 operators with poor security:

• 38 per cent had insecure images, but had an SSL installed;
• 38 per cent had an invalid SSL certificate;
• 21.8 per cent had no redirect from http to https;
• 8 per cent had no certificate at all;
• 2 per cent had an SSL certificate installed with no redirect, but visiting the https version somehow broke the site.

How to fix security problems​

Insecure images can easily appear on sites if they have been taken straight from the site template and are hosted on a separate insecure server, or if an image has been embedded from another insecure website. They’re part of a group of vulnerabilities called mixed content. You need to hunt these down and replace them with images hosted on your site.

Invalid SSL certificates have probably just been allowed to go out of date and need to be renewed. Sometimes there may be a mismatch between the domain name itself and what has been recorded in the certificate. The certificate may also have been poorly installed. Qualys SSL Labs have a free SSL tool to check if your certificate has been set up correctly, and there’s thousands of easily searchable resources online detailing how to fix any issues.

Setting up a redirect from http to https should happen automatically now. If it doesn’t already, you should find the instructions to do so on your hosting provider’s support pages.

For the eight per cent with nothing — your hosting provider should give you one for free, and you’re probably receiving emails from them telling you to install it. This should be a case of logging into your provider, finding the right tab, and installing it. It should take less than five minutes.

The two per cent should go to a web developer and get their site fixed.

Click here to learn more about Ventrata’s custom built, and fully secure, websites