Government Best, Healthcare Worst in Protecting Consumer Data

April 16, 2019

An online audit of websites has found that consumer-facing U.S. government websites rank highest in security and privacy while healthcare comes in last.

The Internet Society’s Online Trust Alliance (OTA) identifies and promotes security and privacy best practices that build consumer confidence in the Internet.

The 10th annual Online Trust Audit & Honor Roll audited more than 1,200 predominantly consumer-facing websites, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.

“From the global economy to daily individual interactions, more and more of our lives are conducted online. Yet every day brings headlines showing a lack of attention to consumer data and privacy protection,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance. “The OTA Trust Audit & Honor Roll identifies organizations that place a premium on security and privacy, while shining a light on the sectors that have to work harder to earn society’s trust.”

The Audit found that 70 percent of analyzed websites qualified for the Honor Roll, the highest proportion ever, and up from 52 percent in 2017, driven primarily by improvements in email authentication and session encryption. The Federal government category surged to the front with 91 percent of sites placing on the honor roll, a dramatic turnaround from 2017 when government sites had bottomed out at 39 percent recognition. The Federal category supplanted last year’s winner, consumer services, which finished second this year at 85 percent (OTA considers consumer services any website that requires consumers to create an online account such as social media, payment services, video streaming, file sharing, or dating).

Healthcare, a new sector this year that includes pharmacies, testing labs, insurance companies, and hospital chains, had the lowest overall honor roll placement at 57 percent. Followed by ISPs, carriers, hosters and email providers at 63 percent.

Overall, the audit found a strong move toward encryption, with 93 percent of sites encrypting all web sessions (compared to 52 percent in 2017). Email authentication is also at record highs; 76 percent of sites use both SPF and DKIM (versus 48 percent in 2017) and 50 percent have a DMARC record (versus 34 percent previously). One growth opportunity is use of mechanisms for vulnerability reporting, which rose sharply in online retail, news and hosting companies, but were used by only 11 percent of organizations overall.

Industry Highlights – From best to worst performing industries:

1. Government: (2017: 5th) 91 percent of audited U.S. federal government sites made the Honor Roll. Government sites scored highest in site security (94 percent), DMARC adoption (93 percent) and policy enforcement (83 percent), and IPv6 adoption (46 percent).

2. Consumer Services: (2017: 1st) 85 percent of audited consumer services sites made the Honor Roll. These sites led in adoption of email authentication (96 percent) and scoring for overall privacy practices (76), and had the highest use of vulnerability reporting (43 percent). Unfortunately, they also had the highest breach rate (34 percent).

3. News & Media: (2017: 3rd) This category was expanded to include sports sites. Significant improvement to an 78 percent score (vs 48 percent in 2017), thanks largely to nearly quadrupling use of always-encrypted sessions.

4. FDIC 100 Banks: (2017: last) Banks made significant improvement to 73 percent, nearly triple 2017’s dismal 27 percent ranking, showing significant improvement in email authentication, the highest use of extended validation certificates (more than double the next closest sector) and lowest instance of cross-site scripting.

5. Internet Retailers: (2017: 2nd) While 65 percent of internet retailers made the honor roll, better than last year’s 51 percent, this sector was outpaced by improvements in most other sectors. Email authentication improved, but privacy failures rose nearly 50 percent due to third party data sharing.

6. ISPs, Carriers, Hosters & Email Providers: (2017: 4th) 63 percent of companies in this category made the Honor Roll, a solid improvement over 2017’s 46 percent, thanks largely to significant improvement in email authentication.

7. Healthcare: (2017: unranked) This new sector showed the lowest overall placement on the Honor Roll at 57 percent, largely due to sparse adoption of email authentication and always-encrypted sessions. The industry did show the second highest scores for privacy.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.