Which organizations place a premium on security and privacy?
70 percent of websites qualified for the 2018 Online Trust Audit and Honor Roll, the highest proportion ever, and up from 52 percent in 2017, driven primarily by improvements in email authentication and session encryption.
This tenth annual audit of more than 1,200 predominantly consumer-facing websites was expanded this year to include payment services, video streaming, sports sites, and healthcare.
The Federal government category surged to the front with 91 percent of sites placing on the honor roll, a dramatic turnaround from 2017 when government sites had bottomed out at 39 percent recognition.
The Federal category supplanted last year’s winner, consumer services, which finished second this year at 85 percent (OTA considers consumer services any website that requires consumers to create an online account such as social media, payment services, video streaming, file sharing, or dating).
“From the global economy to daily individual interactions, more and more of our lives are conducted online. Yet every day brings headlines showing a lack of attention to consumer data and privacy protection,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance.
“The OTA Trust Audit & Honor Roll identifies organizations that place a premium on security and privacy, while shining a light on the sectors that have to work harder to earn society’s trust.”
Healthcare, a new sector this year that includes pharmacies, testing labs, insurance companies, and hospital chains, had the lowest overall honor roll placement at 57 percent. Followed by ISPs, carriers, hosters and email providers at 63 percent.
Overall, the audit found a strong move toward encryption, with 93 percent of sites encrypting all web sessions (compared to 52 percent in 2017). Email authentication is also at record highs; 76 percent of sites use both SPF and DKIM (versus 48 percent in 2017) and 50 percent have a DMARC record (versus 34 percent previously).
One growth opportunity is use of mechanisms for vulnerability reporting, which rose sharply in online retail, news and hosting companies, but were used by only 11 percent of organizations overall.
“The Online Trust Alliance has made great progress in advocating for a higher standard for internet security,” said Neil Daswani, senior vice president, consumer chief information security officer, Norton LifeLock.
“We are honored to be recognized for our strength in cyber safety and are proud to be a part of the very critical work the OTA is doing to help make the internet a safer place for all.”
“To put the audit findings in context, almost every sector improved its security and privacy practices, and the record scores reflect that,” said Wilbur.
“The U.S. Government in particular made stunning improvements, from near last in 2017 to top of the class in 2018. Unfortunately, some sectors still have a long way to go to demonstrate acceptable security and privacy practices.”
Industry highlights: From best to worst performing industries
- Government: (2017: 5th) 91 percent of audited U.S. federal government sites made the Honor Roll. Government sites scored highest in site security (94 percent), DMARC adoption (93 percent) and policy enforcement (83 percent), and IPv6 adoption (46 percent).
- Consumer services: (2017: 1st) 85 percent of audited consumer services sites made the Honor Roll. These sites led in adoption of email authentication (96 percent) and scoring for overall privacy practices (76), and had the highest use of vulnerability reporting (43 percent). Unfortunately, they also had the highest breach rate (34 percent).
- News & media: (2017: 3rd) This category was expanded to include sports sites. Significant improvement to an 78 percent score (vs 48 percent in 2017), thanks largely to nearly quadrupling use of always-encrypted sessions.
- FDIC 100 banks: (2017: last) Banks made significant improvement to 73 percent, nearly triple 2017’s dismal 27 percent ranking, showing significant improvement in email authentication, the highest use of extended validation certificates (more than double the next closest sector) and lowest instance of cross-site scripting.
- Internet retailers: (2017: 2nd) While 65 percent of internet retailers made the honor roll, better than last year’s 51 percent, this sector was outpaced by improvements in most other sectors. Email authentication improved, but privacy failures rose nearly 50 percent due to third party data sharing.
- ISPs, carriers, hosters & email providers: (2017: 4th) 63 percent of companies in this category made the Honor Roll, a solid improvement over 2017’s 46 percent, thanks largely to significant improvement in email authentication.
- Healthcare: (2017: unranked) This new sector showed the lowest overall placement on the Honor Roll at 57 percent, largely due to sparse adoption of email authentication and always-encrypted sessions. The industry did show the second highest scores for privacy.