IBSI Announces Subscription Flexibility !

IBS Journal now starts at £9 per issue, and custom Reports at 40% off
READ MORE

 

Security concept: Lock on digital screen

American banks are failing to keep secure

Websites run by some of the largest banks in the US have scored the poorest in a new security and privacy analysis audit.

The non-profit Online Trust Alliance (OTA) Alliance anonymously audited more than 1,000 websites, ranking their security and privacy practices. None of the sites investigated knew about the test.

In the firm’s Online Trust Audit & Honor Roll for 2017 many US banks were among the worst for security and privacy. The industry had both the most failing grades and the least “Honor Roll” recipients.

For firms to receive the Honor Roll award, they must achieve an overall score of 80% or higher across three categories: consumer protection, security and privacy. A failure in any of the three squashes its chance entirely.

52% of the 1,000 sites tested qualified for the Honor Roll. It marks an overall 5% improvement from 2016. “The internet economy runs on data,” OTA founder Spiezle told NBC News. “If this data is not secure and users have negative experiences, this ultimately threatens the future growth and revenue potential of the internet.”

US banks: not so safe

Look away now if you’re a US banking customer, as only 27% of the 100 largest banks in the country made the grade. The figure represents a 28% drop from 2016. According to the OTA, the sector had been showing signs of improvement. Yet, due to “increased breaches, low privacy scores and low levels of email authentication,” things have slipped.

The American Bankers Association (ABA) questions the results. Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, told NBC that banks “absolutely take privacy and security very seriously”.


Honor Roll vs failure rate of top US companies

Honor Roll vs. failure rate of top US companies. Source: OTA


The ABA insists that OTC figures indicating 24% of banks had a data breach in 2016 are false. “We’ve always been looked at as a model for security,” added Johnson, “held out as a template for other sectors to abide by in terms of security.”

Famously hacked mere moments after it revealed it was taking part in 2015’s CyberSecurity Awareness Month, the ABA statement might not be a great comfort. “The ABA takes data security very seriously,” a sheepish statement from the group read at the time. “We also recognise that despite significant security measures, breaches can and do occur.”

Large banks were found to have moderately good website security (17% of failures) but dropped the ball when it came to their email security (45%) and privacy (34%).

A workman and his tools

Phil Lieberman, CEO of Lieberman Software, a US security company, responding to an IBS Intelligence article from last month, said of bank security: “Most of the serious intrusions are from dumb mistakes made by companies that are easily remediated by a consistent approach to managing access, security and looking for significant anomalies.

“Countermeasures are simple and effective such as air gaps, rate limiting, IP reputation, and improving identity management.

“Other simple ideas like compartmentalisation, security classification of assets and access, and the management of privileged identities and access provide large ROI and reduction of losses.”

by Alex Hamilton
Alex is Senior Reporter at IBS Intelligence, follow him on Twitter or contact him at: alexanderh@ibsintelligence.com
imp-loader
preloader