Websites run by the country’s largest banks and the U.S. federal government scored the poorest in a new security and privacy analysis.
The non-profit Online Trust Alliance (OTA) Alliance anonymously audited more than 1,000 websites for their site security, email security and privacy practices, without the sites knowing they were being watched.
The OTA’s 2017 Online Trust Audit & Honor Roll found that many of the companies and government agencies that operate some widely-used websites drop the ball when it comes to security and responsible privacy practices.
Slightly more than half (52 percent) of the audited sites qualified for the OTA’s Honor Roll – a five percent improvement from 2016 and up from just 30 percent in 2014.
Websites run by the country’s largest banks and the federal government had the most failing grades and fewest Honor Roll recipients of the six categories studied.
To make the Honor Roll, a site must achieve an overall score of 80 percent or higher in three core categories – consumer protection, site security, and privacy – with no failures in any category.
“We look at the end-to-end user experience on the site: How secure is the data being held, what are their privacy policies and what do they do to protect users from fraud,” said Craig Spiezle, OTA founder and chairman emeritus. "We use the same tools that are available to anyone, including cyber criminals.”
While pleased that things are moving in the right direction, Spiezle believes the results of this ninth annual audit underscore the urgent need for all website operators to embrace and ensure responsible security and privacy practices.
“The internet economy runs on data,” Spiezle told NBC News. “If this data is not secure and users have negative experiences, this ultimately threatens the future growth and revenue potential of the internet.”
“If web sites, and especially banking websites, cannot pass such a basic level of audit, then the risk is that they are also failing to tackle the tougher, deeper privacy issues that can impact consumers,” Dixon said.
Failing grades for federal websites
Sixty percent of the 100 U.S. government sites audited received failing grades. Only 39 percent made the Honor Roll, a significant drop from last year’s 46 percent.
Top of Class honors went to the Census Bureau, Department of Education (grants and aid), Healthcare.gov (Dept. of Health and Human Services), Federal Communications Commission (FCC), Federal Deposit Insurance Corporation (FDIC) and US Postal Service store.
While the Online Trust Alliance normally does not publish the names of sites that fail its audit, Spiezle provided NBC News with the government sites that did not receive a passing score.
They include: Commerce Department, Congress, Consumer Financial Protection Bureau, CIA, Defense Department, Federal Reserve, Office of Management and Budget, HUD, ICE, IRS, Medicare, SEC, Treasury, TSA, US Patent Office and Veterans Affairs.
The government should be “walking the talk” when it comes to security, Spiezle said. He hopes the Trump administration will work to improve security and privacy issues.
NBC News emailed Rob Joyce, White House Cybersecurity Coordinator, to ask about the poor showing in this report, but we did not receive a response.
The banking sector saw the biggest drop this year. Only 27 percent of the country’s 100 largest banks made the honor roll, down from 55 percent in 2016. Until now, the banking sector had shown consistent and significant improvement.
The OTA report says the decline was predominately due to “increased breaches, low privacy scores and low levels of email authentication.”
Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association (ABA), questioned OTA’s results and some of the data used to make its evaluation. For example, OTA says 24 percent of the top 100 FDIC banks had large data breaches last year. ABA insists the figure is much lower.
“We absolutely take privacy and security very seriously,” Johnson said. “It’s really all about trust. If we don’t have the trust of our customers, then we don’t have anything. We’ve always been looked at as a model for security, held out as a template for other sectors to abide by in terms of security.”
Big banks have generally good website security, the OTA audit found, but the sector falls short on email security. Johnson said that’s because banks communicate less with their customers by email.
“We can always do better and we will look at the results to see how we can better do that,” Johnson said.
More must be done
Online trust is critical to a digital society, but we are far from reaching that goal. As the OTA report noted:
“Increasingly data is the ‘oil’ of the internet economy. It is fueling innovation, growth and revenue, yet if abused or spilled (breached), there is risk of a negative impact to trust and vitality of the Internet. The Audit and failing grades by many sites underscores the urgency to embrace responsible security and privacy practices.”