At one time ridiculed over bugs and lax cybersecurity, the federal health insurance exchange site HealthCare.gov scored second-highest out of approximately 1,000 websites in the Online Trust Alliance's eighth annual Trust Audit and Honor Roll.
Craig Spiezle, OTA's executive director and president, told SCMagazine.com that HealthCare.gov has “doubled down on their security,” while “doing everything right on their privacy policies,” including not sharing personal data with third parties. “Other agencies, ironically, that weren't on the Honor Roll but should be -- their privacy policies are silent on some of these things,” he said.
For the fourth straight year, Twitter officially took top honors in OTA's Honor Roll, which assesses a website's trustworthiness based on domain, brand and consumer protections; website and server security; and online privacy policies. Rounding out the top ten were the websites for Pinterest, the White House, Dropbox, FileYourTaxes.com, LifeLock, Instagram, 1040.com and Gap Inc.
“Security and privacy remain the bedrock of consumer trust. As the overall top scorer, Twitter is honored to be recognized for our efforts. These best practices of our users' data are critical for the long-term health and future innovation of the Internet. We are committed to build on our collaboration between the public and sectors in driving their adoption,” said Michael Coates, trust & information security officer at Twitter, in an OTA press release.
Even with OTA elevating its scoring standards, 50 percent of evaluated websites attained Honor Roll status, compared to just 44 percent last year. Conversely, 42 percent of websites outright failed the assessment, meaning OTA finds them to be not trustworthy. (The remaining eight percent did not fail, nor did they demonstrate exemplary commitment to security and privacy.)
Interestingly, most of the websites that failed the audit did so due to a lack of domain, brand and consumer protections such as email authentication and domain-based message authentication. “In today's world of spear phishing and ransomware, the level of email authentication is still grossly inadequate in many sectors,” said Spiezle.
Twenty-seven percent of evaluated websites failed the “domain, brand and consumer protection” category, while 16 percent failed for poor privacy practices and 10 percent failed over insufficient site security.
The industry sector with the greatest number of websites on the Honor Roll this year – 72 percent – was the Consumer 100 – a mix of consumer service providers whose sites typically require creating an online account, including social networks, photo and file sharing exchanges and dating sites. “These are companies that are relatively new, and so they don't have the legacy shopping cart website design, they don't have the legacy banking infrastructure” that can sometimes bog down cutting-edge cybersecurity initiatives, explained Spiezle.
The financial services industry featured the next highest number of Honor Roll sites (55 percent), followed by federal government agencies (46 percent), retailers (44 percent) and news and media organizations (23 percent). Despite coming in last, the news media actually experienced a 300 percent year-over-year increase in the number of websites making the Honor Roll.
In Washington DC earlier today, the OTA held an public briefing to announce the results of its audit. Among the presenters was Congresswoman Suzan DelBene (D-Wash.). “We're in the dawn of an innovation era, with everything from cars to wristbands connecting to the Internet, producing unprecedented quantities of data. Consumers must feel they can trust that companies are taking steps to keep their data secure and private,” DelBene said in a statement emailed to SCMagazine.com.
Congressman John Ratcliffe (R-Texas), who also spoke at the event, commented separately to SCMagazine.com, "It's no longer possible to say one company or sector is vulnerable and others are not. We need to shift to conversations about building, or in many cases, re-building networks with security in mind. These efforts must focus on foundational protocols and principles that assume that any entity is as prone to being breached as another."