Social media sites lead the way for security, privacy best practices

How do your Websites stack up when it comes to consumer security and privacy protections? On the whole, when it comes to security and privacy best practices, social media sites are leading the way, while sites operated by banks and the U.S. government are lagging.

2011 has become known as the "Year of the Breach" due to the numerous high-profile data breaches that year, affecting companies like Sony, RSA, Epsilon and NASDAQ. In all, according to the Verizon 2012 Data Breach Investigations Report, 2011 saw 855 data breach incidents and 174 million compromised records across 36 countries. The trend continued into 2012, starting in January with Zappos, which experienced a breach of 24 million records.

Verizon found the top causes of breaches in 2011 were hacking (81 percent of incidents, up from 50 percent in 2010) and malware (69 percent of incidents, up from 49 percent in 2010). Ninety-seven percent of the incidents were avoidable through simple steps and internal controls, Verizon found.

The Online Trust Alliance (OTA) has declared its mission to combat this trend. A non-profit group comprised of academics and representatives from the public and private sector, OTA is dedicated to developing and advocating best practices and policy concerning security and privacy. It recently released its fourth annual Online Trust Honor Roll to recognize sites for supporting security and privacy best practices.

"We believe it's important to not only publish best practices, but also to track adoption," explains Craig Spiezle, executive director and president of OTA. "We want to accelerate the adoption of best practices and recognize those companies that are doing the right thing. Hopefully we'll get others to follow."

Security and Privacy Honor Roll Factors

For the 2012 Honor Roll, OTA reviewed more than 1,200 sites using 10 criteria. Companies had to earn composite scores of 80 percent or higher across the 10 individual factors to earn the Honor Roll designation.

The factors included the following:

  • Always On SSL (AOSSL)

  • Domain Name System Security Extension (DNSSEC)

  • Domain-based Message Authentication, Reporting and Conformance (DMARC)

  • Email authentication (SPF and DKIM)

  • Extended Validation SSL Certificates (EV SSL)

  • FTC settlements since April 2010

  • privacy practices and data tracking by third parties

  • Site SSL implementation and server configurations

  • Site vulnerabilities and data breach loss incidents since April 2010

  • Private domain registration as reported to ICANN

Nearly 30 percent of the sites reviewed earned the Honor Roll designation, with social media sites making the biggest gains: 52 percent of social media sites made the Honor Roll in 2012, compared with only 12 percent in 2011. Members of the social media Honor Roll include a who's who of social media sites, including Facebook, Google Plus, LinkedIn, Twitter and Zynga.

Spiezel believes social media sites have made big gains because their infrastructure tends to be newer and thus they sidestep much of the complexity that sites using older, legacy infrastructure have to deal with. He adds that these sites have recognized that countering online abuse and fraud is essential to their business.

"Twitter and so many other social sites, to their credit, have adopted best practices," he says. "They recognize that their infrastructure is not nearly as complex as some of the older sites or businesses that have been around, and they take advantage of that."

Federal Sites Are Lagging in Best Practices Implementation

Federal government sites made gains according to OTA's criteria but still found themselves trailing other sectors. OTA found that only 58 percent of the top 50 federal sites had implemented email authentication (SPF or DKIM), up from 38 percent in 2011. The federal sites averaged a score of 68 in their implementation of SSL on a 1 to 100 scale; 26 percent have implemented EVSSL and 70 percent have implemented DNSSEC.

FDIC sites did somewhat better. OTA found 69 percent of the top 100 FDIC sites had implemented email authentication. The FDIC sites averaged 76 in their implementation of SSL on a 1 to 100 scale; 55 percent had implemented EVSSL. The sites averaged a privacy score of 58.52 on a 1 to 100 scale.

Meanwhile, 97 percent of the top 100 ecommerce sites have implemented email authentication, and their average SSL implementation scored 75.88 on a scale of 1 to 100. They averaged a privacy score of 61.16 on a scale of 1 to 100.

Holistic View of Data Protection Needed

"We can't look at security and privacy in isolation," Spiezle says. "I think that one of the challenges is we need to take a more holistic view of data protection. We need security by design and privacy by design. It can't be in silos."

"Our message is that you need to move off the concept of compliance to the concept of stewardship," he adds. "Compliance is the floor, the minimum amount you need to do. What we're really trying to do is elevate that discussion. Stewardship is really important and we need to up the investment. We need to be proactive. There are only two types of companies: companies that have had a breach and companies that will have a breach."

To achieve the concept of stewardship, OTA is calling on all financial institutions, commerce sites and consumer-facing government sites to implement the following measures by Nov. 1, 2012:

  • Implement both SPF and DKIM across all domains and subdomains

  • Publish DMARC records

  • Improve the SSL implementation score

  • Upgrade to EV SSL certificates and consider adopting Always On SSL

  • Adopt OTA's Top 10 Recommendations for business, consumer and brand protection
Review privacy policies and audit all third-party tracking and applications added to sites

Initiate planning and deployment of DNSSEC

  • Review WHOIS information

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Join the CSO newsletter!

Error: Please check your email address.

More about ARCEpsilon InteractiveFacebookFTCGoogleICANNInitiateIT SecurityMicrosoftNNRSASECSonyVerizonVerizonZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place