By Jack M. Germain
Jun 22, 2017 5:00 AM PT
Among its findings: Consumer services sites have the best combined security and privacy practices.
FDIC 100 banks and U.S. government sites are the least trustworthy, according to the audit.
The number of websites that qualified for the Honor Roll reached a nine-year high. However, the audit identified an alarming three-year trend: Increasingly, sites either take privacy and security seriously and do well in the audit, or they lag behind the industry significantly in one or more critical areas.
The Online Trust Alliance is an Internet Society initiative to promote best practices for online trust. Its goal is to set standards for recognizing excellence in online consumer protection, data security and responsible privacy practices.
Researchers analyzed about 1,000 predominantly consumer-facing websites for site and email security, as well as privacy practices.
Fifty-two percent of analyzed websites qualified for the Honor Roll, a 5 percent improvement over 2016.
“Data is the ‘oil’ of the Internet economy. It is fueling innovation, growth and revenue. At the same time, if abused there is a risk of data spills, negatively impacting user expectations and ultimately the Internet at large,” said OTA Chairman Emeritus Craig Spiezle, founder of the group. “The OTA Trust Audit & Honor Roll underscores the urgency to embrace responsible security and privacy practices. Failure risks a long-term impact to the Internet.”
Consumer Trust Challenges
The annual OTA audits provide a valuable service, especially given the growing number and extremity of online threats, noted Charles King, principal analyst at Pund-IT.
However, it is not very likely the report will help fix what hampers e-commerce today, he said.
“One of the biggest challenges of addressing online threats is the sheer complexity of the markets, organizations and individuals affected. That is more than any single survey or organization can fix,” King told LinuxInsider. “The report is cautionary but lacks gravity outside of OTA members.”
The decline in government website rankings could be a fly in the ointment. This year’s sudden poor showing for U.S. government sites could have a negative impact on consumer trust.
Lack of continuity is detrimental to consumers and businesses alike, noted King.
“An ongoing problem with public sector sites is the radical shift in expectations and processes when power changes from one party to another,” he said. “We’re seeing that now, as the current administration takes apart regulations and best practices put in place by the past administration.”
Top 3 Performers
The audit tallied the percentage of websites making the Honor Roll in six categories:
- Consumer Services — 76 percent. This industry held onto its ranking as the best performing on the Honor Roll. This segment accounted for 26 of the top 50 consumer-facing sites, or 52 percent.
- Internet Retailers — 51 percent. Half of the top 500 Internet retailers made the Honor Roll this year, representing a big improvement over last year’s score of 44 percent. This segment accounted for 10 of the top 50 consumer-facing sites, or 20 percent.
- News and Media — 48 percent. This marks the most significant improvement over the previous year, across all industries. Last year, media and news sites polled as the worst-performing sector, with only 23 percent making the Honor Roll. This segment accounted for three of the top consumer-facing 50 sites, or 6 percent.
“OTA’s audit continues to drive awareness and recognition about the importance of responsible data security and ethical privacy practices,” said Olaf Kolkman, chief internet technology officer of the Internet Society. “The increase in sites embracing end-to-end encryption shows it is becoming the norm for site traffic.”
Bottom 3 Performers
Following are the sectors bringing up the rear in the audit:
- Internet Service Providers, Carriers, Hosters & Email Providers — 46 percent. Coming in slightly worse than News and Media, this industry segment debuted as a new category this year. This segment accounted for seven of the top 50 consumer-facing sites, or 14 percent.
- Government — 39 percent. This percentage of audited U.S. federal government sites showed a significant decrease from 46 percent making the Honor Roll last year. Note that 60 percent of government websites received failing grades this year.
- FDIC Banks — 27 percent. This industry segment reflects the biggest drop this year. Last year, 55 percent of this category qualified for the Honor Roll.
The FDIC Banks category had showed steady and significant improvement in its Honor Roll score until this year. The plummeting score resulted from increased breaches, low privacy scores, and low levels of email authentication. Sixty-five percent received failing grades, according to OTA.
An organization needed a composite score of 80 percent or better to qualify for Honor Roll status. Failing any one category automatically caused a company to fail overall.
Organizations also needed a score of at least 60 percent in three categories: 1) domain, brand and consumer protection; 2) site security and resiliency; and 3) data protection, privacy and transparency.
OTA expanded the 2017 methodology with two new criteria — telemetry and data fidelity — to address today’s security threat and privacy landscape.
OTA analyzed websites between mid-April and the end of May. The audit analyzed more than 500 million email headers and approximately 100,000 Web pages.
The 2017 report was funded in part by grants from Symantec and Verisign. Data providers included Agari, DigiCert, Disconnect, Distil Networks, Ensighten, High-Tech Bridge, Infoblox, Malwarebytes, Microsoft, Risk Based Security, SecurityScorecard, SiteLock, Qualys SSL Labs, Symantec, ValiMail and Verisign.
Top-Scoring Website List Grows
OTA expanded its list of top performers from 10 sites to 50 this year, a reflection of the increase in overall Honor Roll recipients.
“Despite ratcheting up the criteria needed to qualify for the 2017 Honor Roll, it was encouraging to see the highest percentage of recipients since OTA began the Trust Audit nine years ago,” said OTA’s Spiezle.
Many organizations not making the Honor Roll have a long way to go to ensure and embrace acceptable security and privacy practices, he added.
The 50 highest-scoring consumer-facing sites cover a wide range of industries that include social media, online services, government and retail.
“Consumer-facing website owners have an important responsibility, because their customers entrust them with valuable data,” said Roxane Divol, Symantec general manager of website security. “The OTA Audit recognizes those who go beyond compliance and demonstrate stewardship of their customers’ online security and privacy.”
Online Trust: A Growing Problem
The story of online threats over the past 12-18 months might be summarized as “the hits just keep on coming,” said Pund-IT’s King.
“Knowing who is trustworthy is one thing, but another is whether even trustworthy organizations have what it takes to fend off experienced, well financed attackers. It is a continuing, ugly story with an unfortunately unknowable conclusion,” he said.
For example, just days before the OTA report hit the news, another report disclosed a breach of a server used by a firm that provided consulting services for the Republican Party. That breach exposed the personal information of millions of voters in the last election.
Consumer trust or lack thereof is impacted by the collective impact of such incidents, said OTA’s Spiezle.
“This was not a sophisticated breach. This was poor server management which gets to the root of the issues. Security and privacy is not a one-time task. It takes ongoing monitoring review and optimization,” he told LinuxInsider.
The OTA audit showed the same thing year after year. A well-determined adversary will penetrate nearly any organization, Spiezle said. That is why the OTA is so focused on email authentication.
“We know that more often than not systems are compromised from malicious and spoofed email. Both outbound and inbound authentication is critical, as well as enforcing DMARC policies,” he noted.
OTA officials will present briefings to FTC, NTIA, NIST and FCC staff members on the audit results on June 27, from 11:30 a.m. to 1 p.m. EDT in the Rayburn House Office Building in Washington, D.C.
“In the past, we have had many face-to-face meetings including the White House. Under the previous administrations both Michael Daniels and Howard Schmidt (White House cyber security coordinators) were very engaged. We have not received a response to our offer for this year,” Spiezle said.
OTA also will present the 2017 Cybersecurity, Privacy & Innovation Public Service Award to members of Congress for their contribution to help spur innovation and online trust.
Whether the White House would accept the OTA’s offer for a briefing was uncertain, Spiezle said. “As you can surmise, there has been lots of churn on staffing.”