A Vancouver-based Web site that sells flooring materials has again placed itself on the Online Trust Alliance’s Top 50 Honor Roll, proving that Canadian companies can be among global leaders in security, consumer protection and privacy practices.
BuildDirect.com, which ships laminate planks and tiles from six warehouses across the Canada and the U.S., made it to the top of the roll out of over 1,000 global sites audited for the third time, allowing the site to display the alliance’s Honor Roll logo.
The OTA, which announced this year’s list on Tuesday, breaks its annual audit into a number of categories. Toronto-based bookseller Indigo Books and Music was listed among the top 500 Internet retailers.
The OTA, now a branch of the Internet Society, is an industry association that promotes best practices so consumers will have confidence in doing business online. Every year it audits over 1,000 Web sites around the world, including non-members, for their consumer protection, security and privacy protection practices.
It isn’t easy for a Canadian company to be considered. To winnow down sites to a manageable number it is restricted to the 2017 Internet Retailer top 500 sites, the top 100 Banks operating in the U.S, the top 100 consumer Services sites, the top 100 news and media sites and the top 100 Internet service providers, carriers and hosters as determined by a number of agencies. So, for example, eligible are several of Canada’s biggest banks.
In an email the alliance said it recognizes that the methodology does tend to favour sites with global sales or and high site traffic.
To qualify for Honor Roll a site had to receive a composite score of 80 per cent or better and a score of at least 60 per cent in three categories: domain, brand and consumer protection; site security and resiliency; and data protection, privacy and transparency. All analysis was done anonymously without the active participation of the sites being analyzed.
Fifty-two per cent of analyzed websites qualified for the Honor Roll, a five per cent improvement over 2016. However, the alliance says there’s also “an alarming three-year trend:” Sites either qualify for the honor roll or fail the audit. They “increasingly either take privacy and security seriously and do well in the audit, or they lag the industry significantly in one or more critical areas.”
The consumer services (including social media, file sharing and dating sites) category scored the highest with 76 per cent examined hitting the Honor Roll designation The banking category (defined by the biggest 100 banks operating in the U.S.) scored lowest with 27 percent making the Honor Roll.
“Despite ratcheting up the criteria needed to qualify for the 2017 Honor Roll, it was encouraging to see the highest percentage of recipients since OTA began the Trust Audit nine years ago,” OTA founder and chairman emeritus Craig Spiezle said in a statement. “While OTA congratulates all Honor Roll recipients, many others have a long way to go to ensuring and embracing acceptable security and privacy practices.”
Inadequate email authentication was the primary cause for sites not making achieving honours, including 55 per cent of the banks. Inadequate privacy policies were the second largest cause of failures, impacting more than 34 per cent of the banks. For banks the primary issue was the use of a standardized privacy disclosure form which didn’t address all core audit criteria.
By comparison consumer sites had a much higher level of transparency in their privacy disclosures with only four per cent failing for the same reason.
You don’t have to be on the Honor Roll or even a member of the OTA to improve security and privacy on your site. The following best practices were used in the audit:
–use of HTTP Strict Transport Security (HSTS), Always on SSL, or HTTPS Everywhere;
–Email authentication using Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) records. OTA recommends the use of email authentication at the top-level (or “corporate”) domain (TLD) as well as any other domains used for sending email or that might be used to fool consumers;
–use of domain locking to ensure domain ownership can’t be transferred without the owner’s permission.
–adoption of Domain Name System Security Extensions (DNSSEC), which helps prevent man-in-the-middle attacks;
–adoption of IPv6;
–proper implementation of Secure Socket Layer (SSL) / Transport Layer Security with strong cipher suites;
–having a mechanism for the public and researchers to report site vulnerabilities;
–having a privacy and data retention policy.
Read the full report and requirements here.