Enhancing Nectari security
By default, when you do an installation, you have a web browser which sends queries to the IIS Website (Nectari Web Client) (set on HTTP by default). Right after, the website will communicate with IIS, then IIS will do the same with the BI Service and finally the BI Service with the SQL Server.
So starting from this point, we already can secure IIS (highly recommanded) and the BI Service (optional depending on if you are using or not Excel Add-In).
In relation to Excel Add-In, if you secure the website (IIS) and make possible external access, it will be sufficient at least for Chrome. However, the login process for Excel Add-In implies a direct connection to the BI Service and therefore all the data (financial information and credentials) will not be encrypted over the internet.