How To (And Not To) Make the Online Trust Honor Roll
Five websites generated the highest score in their sector for the 2017 Online Trust Audit & Honor Roll. Here is what it takes to get there and be listed among the Online Trust Alliance's Top 50
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt758cfd125d824dc5/64f0d7b0331d04660179278c/Image-1_01-Page-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
With consumer and enterprise sites getting slammed with attacks, the Online Trust Alliance recently unveiled its 2017 Online Trust Audit & Honor Roll to highlight those sites that engage in the best security and privacy practices.
The audit analyzed up to 1,000 consumer-related websites, Internet service providers, mobile carriers, email box providers, government agencies, and media sites, based on three key criteria: privacy, consumer protection, and security and resiliency. The total base points possible stood at 300, excluding bonus points, and a website needed to score at least 80% overall to be included in the honor roll.
"It's all about following the basics," says Craig Spiezle, executive director and president of the Online Trust Alliance (OTA).
In the security and resiliency category those "basics" include not only patching, but also: having a Secure Socket Layer (SSL) infrastructure; providing a link on the home page to report bugs and search for such common terms like "vulnerability disclosures"; a means to protect against web scraping, vulnerability scanning, and other common bot-driven actions; and an option for multi-factor authentication on the site.
Privacy criteria encompass policies and practices around user anonymity, data retention, and third-party data sharing.
Consumer protection was rated based upon measures like email authentication, anti-phishing technologies and domain security.
Given these criteria, the five websites that received the highest score for their sector included: LifeLock, for the consumer category; US Bank, for the FDIC or bank category, Microsoft Azure, for the ISPs, mobile carriers, and hosters section; Google News for the news and media category; and the Online Trust Alliance for the OTA members section.
The issue of which websites scored the highest for their respective category or made it onto the OTA honor roll is only part of the story. The overall trends for success and failure of achieving security and privacy on a website is the other important part of the picture that will be revealed in the following pages.
The percentage of websites that made the 2017 Online Trust Audit & Honor Roll rose to 52% this year, up from 50% a year earlier. And although the percentage growth rate has slowed each year since 2014 as the pool of companies expands, Spiezle says there is good news in this year's results.
"We have new criteria this year that is more stringent," Spiezle says. "I would have thought we would see a decline as a result, but instead it went up. Companies are doing a better job at securing their systems and are more proactive in enhancing their policies."
While virtually all the sectors gained ground in the Online Trust Audit & Honor Roll this year, the FDIC sector, which is comprised of banks and government agency websites, fell sharply. Only 27% of the FDIC-related websites made the honor roll, down roughly half from the 55% a year earlier.
"That is a big change," says Spiezle, noting that 25% of the banks had data loss since last January 2016. Some of the explanations for the drop include a jump in the number of data breaches for the sector, a revised failure rate threshold, inadequate policy disclosures, and security vulnerabilities seen on sites for this sector.
Over the past three years, OTA has noticed a trend. When it comes to security, privacy and consumer protection, websites are either performing very well or very poorly -- rarely somewhere in the middle.
In fact, a mere 4.2 percent got a middling rating. The remainder were either "failures" or honor roll winners.
Consumer services topped the list of the categories that had the highest percentage of websites that engaged in best practices when it came to security, privacy, and consumer protection. Consumer services racked up 52% of the Top 50 Honor Roll websites.
When looking at the three criteria of consumer protection, site security, and privacy to make it onto OTA's Honor Roll, 46.5% of the combined websites missed at least one of the criteria, according to the report. If websites hit a roadblock to the Honor Roll, the main reason was usually inadequate email authentication, which falls under the category of consumer protection.
One example of inadequate email authentication includes failing to protect users from having their email address forwarded onto third parties. For federal agencies in the Fed 100, poor email authentication practices was particularly prevalent, with 55% of those websites getting dinged for that reason.
The majority of federal agencies were tripped up by the consumer protection criteria. The FDIC sector, or banks, also had a difficult time passing the consumer services criteria, largely because they failed to take appropriate measures to prevent their sites from getting spoofed, Spiezle says. "By not authenticating their site, it's difficult for an ISP to tell if an email is being spoofed, so while a bank may have good site security their email is really difficult to tell if it is coming from them," he says.
On the plus side, Spiezle notes that overall, websites are doing a "pretty good" job with site security, given that the vast majority of all sectors managed to pass that particular criterion.
The majority of federal agencies were tripped up by the consumer protection criteria. The FDIC sector, or banks, also had a difficult time passing the consumer services criteria, largely because they failed to take appropriate measures to prevent their sites from getting spoofed, Spiezle says. "By not authenticating their site, it's difficult for an ISP to tell if an email is being spoofed, so while a bank may have good site security their email is really difficult to tell if it is coming from them," he says.
On the plus side, Spiezle notes that overall, websites are doing a "pretty good" job with site security, given that the vast majority of all sectors managed to pass that particular criterion.
With consumer and enterprise sites getting slammed with attacks, the Online Trust Alliance recently unveiled its 2017 Online Trust Audit & Honor Roll to highlight those sites that engage in the best security and privacy practices.
The audit analyzed up to 1,000 consumer-related websites, Internet service providers, mobile carriers, email box providers, government agencies, and media sites, based on three key criteria: privacy, consumer protection, and security and resiliency. The total base points possible stood at 300, excluding bonus points, and a website needed to score at least 80% overall to be included in the honor roll.
"It's all about following the basics," says Craig Spiezle, executive director and president of the Online Trust Alliance (OTA).
In the security and resiliency category those "basics" include not only patching, but also: having a Secure Socket Layer (SSL) infrastructure; providing a link on the home page to report bugs and search for such common terms like "vulnerability disclosures"; a means to protect against web scraping, vulnerability scanning, and other common bot-driven actions; and an option for multi-factor authentication on the site.
Privacy criteria encompass policies and practices around user anonymity, data retention, and third-party data sharing.
Consumer protection was rated based upon measures like email authentication, anti-phishing technologies and domain security.
Given these criteria, the five websites that received the highest score for their sector included: LifeLock, for the consumer category; US Bank, for the FDIC or bank category, Microsoft Azure, for the ISPs, mobile carriers, and hosters section; Google News for the news and media category; and the Online Trust Alliance for the OTA members section.
The issue of which websites scored the highest for their respective category or made it onto the OTA honor roll is only part of the story. The overall trends for success and failure of achieving security and privacy on a website is the other important part of the picture that will be revealed in the following pages.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024