Half of All Websites Tested Failed Security and Privacy Assessment

Tuesday, June 23, 2015

Anthony M. Freed


Half of the nearly 1000 websites evaluated in the 2015 Online Trust Audit & Honor Roll study conducted by the Online Trust Alliance (OTA) were found to be failing to protect consumer’s personal data and privacy.

News and media websites had the lowest overall scores at an 80% fail rate, and for the third consecutive year Twitter scored highest among all websites tested.

The OTA, a non-profit organization that works to enhance online trust, announced the results of its seventh annual website security audit, grading some of the most popular websites based on dozens of criteria in three main categories: Consumer protection, privacy, and website security.

This year’s audit was expanded and include the websites of the top fifty leadingInternet of Things (IoT) device makers, companies which offer wearable technologies and Internet connected home products, finding that 76% of the websites failed the assessment.

The media and IoT sectors scored poorly primarily due to the lack of adequate privacy policies and substandard domain and protections to prevent the loss of consumer’s personal and financial information.

“The results of this audit serve as a wake-up call to Internet of Things companies who are handling highly sensitive, dynamic and personal data,” said Craig Spiezle, Executive Director and President of OTA.

“In rushing their products to market without first addressing critical data management and privacy practices, they are putting consumers at risk and inviting regulatory oversight.”

Despite setting the most difficult criteria for this year’s audit, the OTA found that 44% of the websites evaluated across multiple sectors qualified for organization’s 2015 Honor Roll, a significant improvement over last year’s level of 30%.

None-the-less, 46% of all websites audited failed completely, with an additional 10% failing to perform well enough to earn an Honor Roll status, where a failure indicates that the website is vulnerable to exploits, is not protecting consumers from phishing and social engineering threats, or has insufficient privacy policies and disclosure policies.

Top scorers in each industry:

  • Banking: USAA Federal Savings Bank
  • Government: Federal Deposit Insurance Corporation (FDIC)
  • Internet of Things: Dropcam
  • News/Media: Bloomberg Businessweek
  • Retail: American Greetings Interactive
  • Social Media: Twitter

Industry Highlights:

  • Retailers: The retail sector saw the largest increase in Honor Roll qualification, from 24% of evaluated websites in 2014 to 42% in 2015
  • Banks: The banking industry also saw a major uptick in Honor Roll qualifications, from 33% of evaluated websites in 2014 to 46% in 2015
  • Social Media: Websites in the social networking category boasted the highest percentage of Honor Roll qualifiers among industries at 58%
  • Government: This sector amassed the highest average privacy score among all evaluated industries, with 42% of government sites making the Honor Roll
  • News: Media websites fared even worse than the IoT sector, with only 8% qualifying for the Honor Roll, and 80% failing due to poor email authentication privacy standards

“Our audit and Honor Roll program rewards companies for a commitment to data stewardship, security and privacy policies that protect against cybercrime’s escalating threats,” said Spiezle.

“OTA commends the companies whose dedication to responsible data practices earned them a place on our list. At the same time, it is concerning to see others remain complacent, failing to embrace responsible practices year after year.”

This was cross-posted from the Dark Matters blog.

Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.