This year, for the first time, more than half (52%) of the 1,000 sites monitored by the Online Trust Alliance (OTA) qualified for the Honor Roll. The OTA Honor Roll is awarded to those sites reaching a score of 80% or higher overall with no failures in any one of the three core categories (consumer protection, security and privacy protection practice). One of the primary roles of the OTA is to raise the level of digital data security and privacy and to enhance online trust.
The 1,000 sites included in the 2017 OTA Honor Roll audit:
- Internet Retailer Top 500
- Top 100 Banks
- Top 100 U.S. Federal Government sites
- Top 100 Consumer Service sites
- Top 100 News and Media sites
- Top 100 ISPs, Carriers & Hosters (new this year)
- OTA Member Organizations
- 76% of the Top 100 consumer service sites make the Honor Roll. This segment accounted for 26 of the top 50 consumer-facing sites (52%).
- 51% of the top 500 Internet retailers made the Honor Roll, a 44% increase from last year. This segment accounted for 10 of the top 50 consumer-facing sites (20%).
- 48% of news and media sites made the Honor Roll this year, registering a significant improvement compared to last year across all industries. In 2016, only 26% of media and news sites made honor roll making it the worst performing segment. This segment accounts for three of the top consumer-facing 50 sites (6%).
- 46% of ISPs, carriers, hosters & email providers made the Honor Roll. This segment accounts for seven of the top 50 consumer-facing sites (14%).
- 39% of audited U.S. federal government sites made the Honor Roll, declining from last year when 46% sites made the honor roll. Important to note, 60% of Government sites received a failing grade.
- 27% of FDIC 100 banks made the Honor Roll, a significant decline from last year at 55%. The decline is mainly due to increases in breaches, low privacy scores and low levels of email authentication. A full 65% of FDIC 100 Banks received a failing grade.
Overall, failures varied widely by sector. In total, 46.5% of all sites failed in one or more area. Top failures included inadequate email authentication (55%) of the Fed 100 and inadequate privacy policies (34%) of the banking sector. Interestingly, consumer sites demonstrated a much higher level of transparency in their privacy disclosures with only 4% failing here.
With the General Data Protection Regulation GDPR implementation deadline approaching in Europe (May 25, 2018), it’s important for all participants to have a readiness plan. This requires revisiting security risks, disclosures and related privacy practices.
The OTA recommended best practices include:
- Implement both Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for top-level domains, “parked” domains (not used for email) and any major subdomains seen on websites or used for email.
- Optimize SPF records with no more than 10 DNS lookups.
- Implement Domain-based Message Authentication (DMARC), initially in “monitor” mode to get receiver feedback and verify accuracy of email.
- Mandate the use of DMARC reporting capabilities with RUA (addresses to which aggregate feedback is to be sent) and RUF (addresses to which message-specific forensic information is to be reported) reporting.
- Implement inbound email authentication checks and DMARC on all networks to help protect against malicious email and spear phishing purporting to come from legitimate senders.
- Ensure that domains are locked to prevent domain takeovers.
- Implement opportunistic TLS to protect email in transit between mail servers.
- Implement Domain Name System Security Extensions (DNSSEC) to help protect a site’s DNS (Domain Name Servers) infrastructure.
- Deploy Internet Protocol version 6 (IPv6).
- Implement Distributed Denial of Service (DDoS) mitigation technologies and processes.
- Implement multi-factor authentication.
It’s important for organizations of all types to adopt responsible practices in privacy and data stewardship to ensure a positive user experience.