Spiezel believes social media sites have made big gains because their infrastructure tends to be newer and thus they sidestep much of the complexity that sites using older, legacy infrastructure have to deal with. He adds that these sites have recognized that countering online abuse and fraud is essential to their business.
"Twitter and so many other social sites, to their credit, have adopted best practices," he says. "They recognize that their infrastructure is not nearly as complex as some of the older sites or businesses that have been around, and they take advantage of that."
Federal sites are lagging in best practices implementation
Federal government sites made gains according to OTA's criteria but still found themselves trailing other sectors. OTA found that only 58 percent of the top 50 federal sites had implemented email authentication (SPF or DKIM), up from 38 percent in 2011. The federal sites averaged a score of 68 in their implementation of SSL on a 1 to 100 scale; 26 percent have implemented EVSSL and 70 percent have implemented DNSSEC.
FDIC sites did somewhat better. OTA found 69 percent of the top 100 FDIC sites had implemented email authentication. The FDIC sites averaged 76 in their implementation of SSL on a 1 to 100 scale; 55 percent had implemented EVSSL. The sites averaged a privacy score of 58.52 on a 1 to 100 scale.
Meanwhile, 97 percent of the top 100 ecommerce sites have implemented email authentication, and their average SSL implementation scored 75.88 on a scale of 1 to 100. They averaged a privacy score of 61.16 on a scale of 1 to 100.
Holistic view of data protection needed
"We can't look at security and privacy in isolation," Spiezle says. "I think that one of the challenges is we need to take a more holistic view of data protection. We need security by design and privacy by design. It can't be in silos."
"Our message is that you need to move off the concept of compliance to the concept of stewardship," he adds. "Compliance is the floor, the minimum amount you need to do. What we're really trying to do is elevate that discussion. Stewardship is really important and we need to up the investment. We need to be proactive. There are only two types of companies: companies that have had a breach and companies that will have a breach."
To achieve the concept of stewardship, OTA is calling on all financial institutions, commerce sites and consumer-facing government sites to implement the following measures by Nov. 1, 2012:
- Implement both SPF and DKIM across all domains and subdomains
- Publish DMARC records
- Improve the SSL implementation score
- Upgrade to EV SSL certificates and consider adopting Always On SSL
- Adopt OTA's Top 10 Recommendations for business, consumer and brand protection
- Review privacy policies and audit all third-party tracking and applications added to sites
- Initiate planning and deployment of DNSSEC
- Review WHOIS information
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org