Government Best, Healthcare Worst in Protecting Consumer Data

April 16, 2019

An online audit of websites has found that consumer-facing U.S. government websites rank highest in security and privacy while healthcare comes in last.

The Internet Society’s Online Trust Alliance (OTA) identifies and promotes security and privacy best practices that build consumer confidence in the Internet.

The 10th annual Online Trust Audit & Honor Roll audited more than 1,200 predominantly consumer-facing websites, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.

“From the global economy to daily individual interactions, more and more of our lives are conducted online. Yet every day brings headlines showing a lack of attention to consumer data and privacy protection,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance. “The OTA Trust Audit & Honor Roll identifies organizations that place a premium on security and privacy, while shining a light on the sectors that have to work harder to earn society’s trust.”

The Audit found that 70 percent of analyzed websites qualified for the Honor Roll, the highest proportion ever, and up from 52 percent in 2017, driven primarily by improvements in email authentication and session encryption. The Federal government category surged to the front with 91 percent of sites placing on the honor roll, a dramatic turnaround from 2017 when government sites had bottomed out at 39 percent recognition. The Federal category supplanted last year’s winner, consumer services, which finished second this year at 85 percent (OTA considers consumer services any website that requires consumers to create an online account such as social media, payment services, video streaming, file sharing, or dating).

Healthcare, a new sector this year that includes pharmacies, testing labs, insurance companies, and hospital chains, had the lowest overall honor roll placement at 57 percent. Followed by ISPs, carriers, hosters and email providers at 63 percent.

Overall, the audit found a strong move toward encryption, with 93 percent of sites encrypting all web sessions (compared to 52 percent in 2017). Email authentication is also at record highs; 76 percent of sites use both SPF and DKIM (versus 48 percent in 2017) and 50 percent have a DMARC record (versus 34 percent previously). One growth opportunity is use of mechanisms for vulnerability reporting, which rose sharply in online retail, news and hosting companies, but were used by only 11 percent of organizations overall.

Industry Highlights – From best to worst performing industries:

1. Government: (2017: 5th) 91 percent of audited U.S. federal government sites made the Honor Roll. Government sites scored highest in site security (94 percent), DMARC adoption (93 percent) and policy enforcement (83 percent), and IPv6 adoption (46 percent).

2. Consumer Services: (2017: 1st) 85 percent of audited consumer services sites made the Honor Roll. These sites led in adoption of email authentication (96 percent) and scoring for overall privacy practices (76), and had the highest use of vulnerability reporting (43 percent). Unfortunately, they also had the highest breach rate (34 percent).

3. News & Media: (2017: 3rd) This category was expanded to include sports sites. Significant improvement to an 78 percent score (vs 48 percent in 2017), thanks largely to nearly quadrupling use of always-encrypted sessions.

4. FDIC 100 Banks: (2017: last) Banks made significant improvement to 73 percent, nearly triple 2017’s dismal 27 percent ranking, showing significant improvement in email authentication, the highest use of extended validation certificates (more than double the next closest sector) and lowest instance of cross-site scripting.

5. Internet Retailers: (2017: 2nd) While 65 percent of internet retailers made the honor roll, better than last year’s 51 percent, this sector was outpaced by improvements in most other sectors. Email authentication improved, but privacy failures rose nearly 50 percent due to third party data sharing.

6. ISPs, Carriers, Hosters & Email Providers: (2017: 4th) 63 percent of companies in this category made the Honor Roll, a solid improvement over 2017’s 46 percent, thanks largely to significant improvement in email authentication.

7. Healthcare: (2017: unranked) This new sector showed the lowest overall placement on the Honor Roll at 57 percent, largely due to sparse adoption of email authentication and always-encrypted sessions. The industry did show the second highest scores for privacy.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

This webinar will cover additional, and often overlooked, security risks and mitigation strategies for cannabis businesses, including vaults and storage, guards and transportation.

Poll

Business Travel Security

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Government Best, Healthcare Worst in Protecting Consumer Data

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Government Best, Healthcare Worst in Protecting Consumer Data

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.