Social Sites Beat Retailers and Banks for Consumer Protection and Privacy

For the second year in a row, social media sites (including gaming and dating sites) are leading the way in consumer security and privacy protections, beating out Internet retailers and banks, according to an annual comprehensive audit by the Online Trust Alliance (OTA).

Even though social sites led the pack in OTA's audit, the general trend for consumer security and privacy protection is good, says Craig Spiezle, president and executive director of OTA. The sites that performed the best in the adoption of 14 industry accepted best practices, open standards and privacy practices, and criteria and best practices advocated by the U.S. Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST) were named to OTA's Online Trust Honor Roll.

Thirty-two percent of the companies audited by the OTA qualified for the Honor Roll this year, up from 30 percent last year, even though Spiezle says the criteria were tightened in several areas. Nearly half (121) of the companies that achieved the Honor Roll had also been Honor Roll recipients in last year's audit. However, 47 percent of the companies that made the Honor Roll in 2012 did not qualify for the 2013 Honor Roll.

"The bar has risen significantly," Spiezle says. "We were very pleasantly surprised that the number of audited companies making the honor roll went up from 30 percent to 32 percent. We did not anticipate that."

"Being named to the 2013 Online Trust Honor Roll is a significant achievement," he adds. "The adoption of best practices not only helps to protect customers, it also builds brand integrity, enhances click through and reduces the risk of shopping cart abandonment."

Metrics Considered for Online Trust Honor Roll

OTA audited more than 750 domains and privacy policies, more than 10,000 web pages and more than 500 million emails associated with the Internet Retailer 500 (IR500), Federal Deposit Insurance Corporation (FDIC 100) and Social 50 and Federal Government 50 sites. OTA identified and evaluated three key areas of competency that Spiezle says are essential to maximizing online trust:

Domain, brand and consumer protection: This area included a review of best practices with regard to email authentication; domain-based message authentication, reporting and conformance (DMARC) and domain locking.

Site, server and infrastructure security: This area included a review of best practices with regard to SSL server configuration, extended validation of SSL certificates (EV SSL), Always-on SSL (AOSSL), 2048-bit key or elliptic curve cryptography (ECC) certificates and domain name system security extension (DNSSEC).

Data protection, privacy and transparency: This area included a review of best practices with regard to privacy policy and third-party tracking, honoring of Do Not Track browser settings (DNT) and public vs. private WHOIS registration; this area also took into account data breach and data loss incidents and FTC/state settlements.

Companies had to receive a composite score of 80 percent or more of the available points to qualify for the honor roll. Additionally, a new requirement was added this year: The companies had to score at least 55 percent of the points in each of the three major categories of brand/domain protection, site security and privacy policies and practices.

"We really believe that trust and security is like a chain," Spiezle explains. "You're only secure as your weakest link."

"One of the areas that we're really pushing is the need to move from a compliance perspective to one of stewardshipfrom what you have to do to comply to what you can do that's above and beyond," he adds.

Twitter Takes Top Consumer Security, Privacy Honors

Spiezle notes that Twitter, which achieved the highest composite score of any of the companies audited, is an exemplar of that approach.

"Twitter is pleased to have earned the top score on the OTA Honor Roll," says Bob Lord, director of information security at Twitter. "By supporting Always-on SSL, Do Not Track, DMARC and most recently login verification, we aim to keep users connected securely to everything happening in the global town square."

Companies in the Social 50 outpaced both the IR500 and FDIC 100 two to one in the percentage of companies qualifying for the Honor Roll. Spiezle notes that companies focused on social tend to be much newer, which in turn tends to make them more agile, as they are less dependent on legacy technologies. Many banks and commerce sites are saddled with complex legacy sites and data centers that impede their ability to quickly adopt best practices.

Retailers Improving Adoption of Best Practices

Of the Internet Retailer 500, 26 percent achieved the Honor Roll, up slightly from 25 percent in 2012. Brooklyn, Oh.-based American Greetings, the world's largest publicly traded greeting card company, won the top score in the retailer category.

"Through an ongoing process we have evolved our data security and privacy practices from one of compliance to one of stewardship," says Joseph Yanoska, vice president, technology, American Greetings. "We're honored by the recognition the OTA has given us, and are committed to supporting their efforts. We share and embrace their approach to security and hope that it results in a higher level of trust from our customer base."

While retailers overall improved their rating in the 2013 audit, Spiezle says that 74 percent have not fully adopted best practices, and 53 percent of retailers that did not qualify for the Honor Roll failed to achieve passing scores in one or more categories, which unnecessarily exposes their users to security, privacy and social engineering threats.

Banks Show Most Security Improvements, Still Have Long Way to Go

FDIC member banks showed the most improvement over last year: 25 percent of them made the Honor Roll in 2013, up from 22 percent in 2012. The banking sector also led in the adoption of EV SSL certificates with a 60 percent uptake rate. Retailers were second in the adoption of EV SSL, with a 33 percent adoption rate.

However, of those banks that did not qualify for the Honor Roll, 71 percent received failing grades in one or more categories, which OTA says it largely attributes to inadequate email and domain protection or outdated privacy policies with inconsistencies observed between their written policy and actual data collection observed.

As for top U.S. Government sites, OTA says they made improvement across all sectors in 2013, achieving 88 percent support of DNSSEC. However, OTA also found that these sites significantly lagged in helping protect consumers from forged and deceptive email and securing their sites from known vulnerabilities. Only 20 percent of government sites adopted both SPF and DKIM, and one-third received failing grades for their SSL server security.

"The 2013 report demonstrates how business leaders have recognized the need to move from compliance to stewardship," Spiezle says. "This is critical to consumer trust and to help stem the call for more regulation. The Online Trust Honor Roll report provides prescriptive and actionable guidance for businesses to move from a state of inaction to one which will enhance consumer protection."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinternet

More about American GreetingsFederal Deposit InsuranceFederal GovernmentFederal Trade CommissionFTCTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place