An audit of more than 1,000 top websites found that 52 percent have highly trustworthy cybersecurity and privacy practices – the highest percentage ever for this annual evaluation – yet 46 percent failed the assessment altogether, with bank sites surprisingly faring worst of all.
Nearly two-thirds, or 65 percent, of websites operated by the largest 100 U.S. banks by asset flunked the 2017 Online Trust Audit and Honor Roll exercise, which was conducted in April and May 2017 by the Online Trust Alliance, an Internet Society Initiative. "Their failures were attributed in part to the revised failure threshold, increased number of data breaches, observed site security vulnerabilities and inadequate privacy disclosures," the report reads.
By contrast, only 27 percent of this financial services group earned top honors for cybersecurity and privacy, a major drop-off from 55 percent in 2016. (The remaining eight percent neither made the Honor Roll nor failed, meaning they offer some protection, but are not following enough of OTA's recommended guidelines.)
Craig Spiezle, founder and chair emeritus of OTA, told SC Media via email that the poor showing by financial institutions "should be a wake-up call for them... to increase commitment to consumer protection." He noted that the results are especially "ironic," considering recent legislative efforts to roll back the 2010 Dodd-Frank financial reform law, which could greatly weaken the Consumer Financial Protection Bureau.
According to Spiezle, 24 percent of the top 100 banks suffered a breach impacting 1,000 or more user records since the 2016 OTA audit, and eight had to pay regulatory financial settlements for deceptive business practices, privacy abuses or breaches.
Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association, told SC Media in an interview, said that he questions the report's findings, noting how other independent research organizations have found that banks "have fewer breaches" than companies operating in many other sectors.
Johnson suggested that reported changes in methodology could be partially responsible for the increase in failures, adding, "It goes without saying that financial institutions have the most rigorously regulatory regime in terms of data security for any type of business."
The top 100 U.S. federal government sites had the second highest failure rate in the audit, with 60 percent of sites unable to make the grade. Only 39 percent landed on the Honor Roll this year, compared to 46 percent in 2016 (though it should be noted that OTA expanded this grouping from 50 to 100 in 2017).
On the other hand, the top 100 consumer services sites came out on top, with 76 percent of websites earning Honor Roll status. This group includes sites specializing in social media, travel booking, matchmaking, tax returns and other online services. The top 500 online retailers also performed admirably, with 51 percent receiving honors.
OTA's audit rates websites in three categories: brand and consumer protection, site security, and privacy. Thirty-three companies failed the brand and consumer protection category, which includes email authentication, domain locking and Transport Layer Security. Nine percent failed the site security category, which factors in server defenses, firewalls, SSL, vulnerability prevention, multi-factor authentication, malvertising and botnet protection, and DDoS resiliency. And 16 percent failed over having inadequate privacy policies and practices. (Some companies failed more than one category.)
The top performers in each consumer website grouping were Etsy (retail), U.S. Bank (banking), the Department of Health and Human Services/Healthcare.gov (federal government), LifeLock (consumer services), Google News (news and media), and Microsoft Azure (ISPs, carriers and hosts). OTA did not list the names of the companies that failed.
OTA estimates that it analyzed more than 500 million email headers and approximately 100,000 web pages throughout the audit process.
Disclosure: The author of this article was formerly an account executive with a PR firm that represents OTA.