An SSL protects data in forms from being stolen, while site scanner software protects the website from becoming infected.
If one would do a search for “SEO spam injection” or "website hacked", most of the articles would be about CMS-based websites (especially WordPress) being hacked. However, it is also possible, for this to happen to non-cms based websites. In 6 years and over 60 websites, this has only happened twice using my signature website builder of choice. In my opinion, non-CMS based websites are a lesser visible target – probably due to a lack of back door to search for. With that being said, they still need to be protected via a website scanning/monitoring tool.
The weapon of choice to prevent a hack and malware infection causing an inappropriate redirect (or at least quickly become aware of it when it happens so it can be fixed) is a website monitoring and repair tool – which is usually provided by your host. In the case of my favorite – GoDaddy, they have a tool by Sucuri with 3 levels of protection (monitoring/removal only and monitoring/removal with prevention). https://www.godaddy.com/web-security/website-security?sp_hp=B&isc=sev_app. If you don’t have GoDaddy as a host, ask your host for this product or click on these links to sign up. https://sucuri.net/. They also have a free scanning tool here - https://sitecheck.sucuri.net/. Another good option is SiteLock. Compare here.
Also, if you don’t already have an SSL certificate on your website, you should still get one as this protects the integrity of the data (such as info submitted in a form) between your website and the browser. And in case you wanted to know, the distinctly separate purpose of website security software (such as Sucuri) is to protect the website from hackers that inject malware into the server. https://blog.sucuri.net/2018/09/ssl-vs-website-security.html. Both the SSL certificate and malware scanning and removal tools are needed for a secure website.