In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.
Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.
Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.
DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).
Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.
Like most sectors, banks did not fare well in privacy. The Audit tracks privacy in two ways: by the number of trackers on a site, and by analyzing the site’s privacy statement. In terms of trackers, banks did well. They were among the top scorers with 44 of 45 available points. (The score is derived using publicly available software to analyze how many trackers each site uses, the fewer bad trackers, the higher the score.) Though there was marked improvement from the prior Audit, banks still lagged, like most sites, in their privacy statements. Banks had a privacy statement score of only 25 out of 55, towards the low end of the spectrum.
The primary cause of failures was in sharing and data retention language. Only 22% of banks had language about data sharing, lower than the overall average across sectors. While most sites fared poorly in data retention language, banks were particularly bad. No banks had satisfactory data retention language in their privacy statement. Given the sensitivity of data that banks have, it is important that there be some kind of data retention language.
How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy. Then read the report, view the infographic, or watch the recap video to learn more!