Deep Dive: A Look at Top Retailers’ Security Practices Thumbnail
Building Trust 27 November 2019

Deep Dive: A Look at Top Retailers’ Security Practices

By Kenneth OlmsteadFormer Senior Internet Security and Privacy Expert

In April 2019 the Internet Society’s Online Trust Audit released its 10th Online Trust Audit and Honor Roll. One of the longest-running sectors covered in the Audit is online retailers. In this blog post we will look at the top 500 online retailers in the US based on online sales and how they fare in security best practices advocated by OTA.

Overall 65% of online retailers in the top 500 made the honor roll this year, a marked improvement over 2017 when just over half (51%) did. With the upcoming holidays many consumers will be doing much of their shopping online, therefore it is more important than ever that any online retailer practices good email and site security. After all, consumers are sending highly-sensitive data like credit cards and addresses at a much higher rate during the holidays.

In site security retailers fared well, as did most sites. Fully 92% of the top 500 online retailers has AOSSL/HSTS on their sites (virtually the same as 91% of sites overall). The good news this year is that this is a significant increase over the the 38% that had AOSSL/HSTS in 2017. The bad news is that the fact that this is not 100% of these top online retailers is still concerning given the information consumers enter into these sites when they shop.

In email-security most retailers also did well. Two technologies, SPF and DKIM, help ensure that users’ are not receiving forged or spoofed emails from a retailer. Fully 86% of retailers implemented SPF (compared to 89% of organizations overall). Here again the trend is positive, in 2018 75% of online retailers had SPF. In another positive trend, DKIM adoption also rose in 2018. In 2018 83% had DKIM, up significantly from 53% in 2017. Where retailers did not do well in email security, however, was DMARC.

DMARC adds on to SPF and DKIM telling email servers what to do when an email fails to be authenticated. Just 34% of online retailers implemented DMARC, well below the 50% of sites overall. In addition there was little improvement over 2017 when 33% had implemented this technology. This lack of improvement in DMARC is disappointing for online retailers given they have improved in other areas.

It is no longer the case that only tech companies need to be concerned about data security. All companies run on data, retailers more so than ever. Not securing your consumer facing site with SSL is unacceptable in 2019, as is not using proper email authentication technology. No business is immune from breaches and users need know their information is safe when making online purchases.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...