How do your websites stack up when it comes to consumer security and privacy protections? On the whole, when it comes to security and privacy best practices, social media sites are leading the way, while sites operated by banks and the U.S. government are lagging.
2011 has become known as the "Year of the Breach" due to the numerous high-profile data breaches that year, affecting companies like Sony, RSA, Epsilon, and NASDAQ. In all, according to the Verizon 2012 Data Breach Investigations Report, 2011 saw 855 data breach incidents and 174 million compromised records across 36 countries. The trend continued into 2012, starting in January with Zappos, which experienced a breach of 24 million records.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Verizon found the top causes of breaches in 2011 were hacking (81 percent of incidents, up from 50 percent in 2010) and malware (69 percent of incidents, up from 49 percent in 2010). Ninety-seven percent of the incidents were avoidable through simple steps and internal controls, Verizon found.
The Online Trust Alliance (OTA) has declared its mission to combat this trend. A non-profit group comprised of academics and representatives from the public and private sector, OTA is dedicated to developing and advocating best practices and policy concerning security and privacy. It recently released its fourth annual Online Trust Honor Roll to recognize sites for supporting security and privacy best practices.
"We believe it's important to not only publish best practices, but also to track adoption," explains Craig Spiezle, executive director and president of OTA. "We want to accelerate the adoption of best practices and recognize those companies that are doing the right thing. Hopefully we'll get others to follow."
Security and privacy honor roll factors
For the 2012 Honor Roll, OTA reviewed more than 1,200 sites using 10 criteria. Companies had to earn composite scores of 80 percent or higher across the 10 individual factors to earn the Honor Roll designation.
The factors included the following:
- Always On SSL (AOSSL)
- Domain Name System Security Extension (DNSSEC)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- Email authentication (SPF and DKIM)
- Extended Validation SSL Certificates (EV SSL)
- FTC settlements since April 2010
- privacy practices and data tracking by third parties
- Site SSL implementation and server configurations
- Site vulnerabilities and data breach loss incidents since April 2010
- Private domain registration as reported to ICANN
Nearly 30 percent of the sites reviewed earned the Honor Roll designation, with social media sites making the biggest gains: 52 percent of social media sites made the Honor Roll in 2012, compared with only 12 percent in 2011. Members of the social media Honor Roll include a who's who of social media sites, including Facebook, Google Plus, LinkedIn, Twitter and Zynga.