On June 16, the Online Trust Alliance, an industry group focused on developing and encouraging best practices in online security and privacy, announced that a recent audit of approximately 1,000 websites showed that 46% failed to implement standard best practices for security and privacy.  Notably, 80% of the top 50 news sites and 76% of the top 50 Internet of Things (“IoT”) sites received failing grades. 

The 2015 Online Trust Audit & Honor Roll is the industry group’s seventh annual review of website security and privacy.  Among the approximately 1,000 websites audited were sites for e-commerce, banks, U.S. federal government agencies, social networking, news and media, and IoT providers of home automation and wearable technologies.  The review focused on three categories of best practices:  domain, brand, and consumer protection; site, server, and infrastructure security; and data protection, privacy, and transparency.  To earn a position on the Honor Roll, a website must receive a composite score of 80% and score at least 55% in all three categories. 

Of the websites evaluated, 44% earned a place on the Honor Roll (a further 10% did not receive failing grades but did not merit an Honor Roll position).  Overall, this is an improvement over the 2014 audit, which awarded only 30% of sites with honors.  The best performing sites were social media and e-commerce sites.  News sites, with a failure rate of 80%, were the worst performers.  Federal government sites, under increased scrutiny in the wake of a recent data breach at the Office of Personnel Management, were the third-worst performers, with a 54% failure rate.

Perhaps more concerning were IoT sites, 76% of which failed the audit.  IoT sites were not evaluated in previous years, and the Online Trust Alliance’s report attributes the high failure rate to poor domain and email authentication support.  The report also suggests that failure to adopt certain technical best practices may be a result of the prevalence in the IoT industry of “small startup companies as well as mature companies making their first entry into data collection,” and it should be noted that the audit focused only on IoT websites and not on the security and privacy practices implemented in the IoT devices themselves.  Nevertheless, in an industry where the security and privacy of data are likely to be a major focus, any failure to implement best practices can be a cause for concern.  The Online Trust Alliance website provides resources for IoT companies interested in improving their performance.