FTSE-100's websites not secure, not safe

FTSE-100's websites not secure, not safe

How safe are the FTSE-100’s websites? [/vc_column_text][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text]

In autumn 2018, Trustify posed the question “How safe is their website?” about the entire FTSE-100, the UK’s top 50 accountancy firms, the UK’s top 50 insurers and the UK’s top 100 law firms. The results were as unexpected as they were disappointing.

The timing

At that time, Google had announced that Chrome 70 (the world’s most used browser) would start to penalise sites which did not have https. The original threat was that Chrome would not display the sites at all. In practice, many of them came with a huge health warning which meant users were instructed not to share data with those sites. If your site took a traffic hit at this point in time or bounce rates increased – this may well be why.

The method

Trustify looked at the corporate websites of the FTSE-100, Accountancy Age’s top 50, The Lawyer’s top 100 (from its Lawyer 200 survey) and Insurance Day’s top 50. We visited each site and asked several main questions: did the site have a security certificate? (i.e. was it https not http) did the site default to that https site if you typed in the url without www. or https or http? did the site use an LEI certificate (to ensure that people really knew the identity of the organisation that they were communicating with)? We asked several more technical questions, but basee our rsankings on these alone.

Objections

The test isn’t perfect. First, Chrome is not everyone’s default browser. However, it is the world’s most used and so represents the daily experience of the user on the street. Next, some certificates are worth more than others. We agree. But this is not a naked attempt to sell our certificates. rather, it is to highlight that some organisations has decided to leave their front door open. Certificates aren’t the be all and end all of website security. We could not agree with you more. But they are the canary in the coal mine. If you haven’t secured your domain name, you’re unlikely to have tackled the deeper and more challenging aspects of your cybersecurity. But it does provide a level playing field: everyone has a corporate website and everyone has one on their Wikipedia page. Every organisation has a default site listed at the top of Google’s brand search results. It is within their remit and capability to make sure that this front door is secured. We did not, for instance, check the related sites for FTSE entities, or law firm’s extranet sites. We provide that service for organisations [here].

Findings

[/vc_column_text][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column width="1/2"][vc_column_text]

Blog post content can be used in here with an image to the right hand column.

Delete this row if unwanted on this blog post.[/vc_column_text][/vc_column][vc_column width="1/2"][vc_single_image img_size="full" qode_css_animation=""][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column width="1/2"][vc_single_image img_size="full" qode_css_animation=""][/vc_column][vc_column width="1/2"][vc_column_text]

Blog post content can be used in here with an image to the right hand column.

Delete this row if unwanted on this blog post.[/vc_column_text][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column width="2/3"][vc_column_text]

Blog post content can be used in here with an image to the right hand column.

Delete this row if unwanted on this blog post.[/vc_column_text][/vc_column][vc_column width="1/3"][vc_single_image img_size="full" qode_css_animation=""][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column width="1/3"][vc_single_image img_size="full" qode_css_animation=""][/vc_column][vc_column width="2/3"][vc_column_text]

Blog post content can be used in here with an image to the right hand column.

Delete this row if unwanted on this blog post.[/vc_column_text][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column width="1/6"][/vc_column][vc_column width="2/3"][vc_column_text]

Add a quote to this section

– Quote Author –

Delete this row if unwanted on this blog post.

[/vc_column_text][/vc_column][vc_column width="1/6"][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_column_text]

FTSE-100 cyber security

My client, Trustify, conducted a survey this weekend and found that one in five FTSE 100 company websites is unsecured and that several professional firms’ websites will not work properly from Wednesday when the latest version of Google Chrome goes live.

Steve Boland, CMO at Trustify, the web security and business authentication company says: “This is business critical issue for these organisations. Losing traffic means lost revenues in most cases. But it can also mean fewer crimes being reported, people losing access to life-saving information and workers unable to access their organisation’s systems remotely.” Other findings in the Trustify.com survey:
  • One in five FTSE 100 websites is not secure – and so they are opening themselves to potential GDPR fines
  • Many insurance, legal and accountancy firms present their cyber service provider credentials while simultaneously ignoring their own web security – some of these sites will not work on Wednesday morning
  • On over 1,000 major UK websites, many sub-domains are NOT SECURE and open to data being intercepted, including deal rooms, mobile sites, and email log in areas
  • A failure to resolve this will invalidate your D&O cover
  • And it won’t be covered by your cyber risk insurance either
“They can quickly fix the problem if they have their website certified the right way – so it’s not too late to avoid having a dud website tomorrow and potentially receiving a GDPR fine,” explains Boland.   -ends- Trustify (https://www.trustify.com/) is the web security and business authentication company based in Central Scotland. Trustify includes many major brands in its client base and has issued over 800,000 certificates to date. The FTSE 100 is as at the October 2018 constituent update, the legal list is taken from The Lawyer 200, the insurers list from Insurance Times top 50 and accountants from Accountancy Age’s top 50.  

Ten percent of the largest insurers do not have a secure website

– World’s two largest insurance brands both have unsecured websites and yet promote cyber resilience on their home page

Trustify carried out a survey over the weekend of 20/21 October, analysing the privacy of websites among the leading players in several industries: insurance, legal, retail, accountancy as well as the FTSE 100. Please note all findings are as at 17:00 BST on 21 October 2018.

This Wednesday, at 8am BST, the rollout of Chrome 70 will mean that many sites are no longer secure for consumers and clients. Chrome will not display them as a result. This is the latest in Google’s attempts to boost consumer digital trust. From Weds, it will no longer recognise some previously issued certificates, meaning many websites are no longer considered safe for data sharing (e.g. credit cards, job applications, forms and log ins).

For insurers

• Ten percent of the top insurers do not have a secure website.

• Eleven of the largest insurers get full marks: Aviva, Hiscox, Esure, MunichRe, and Prudential are among those who have in place strategies to keep the exchange of data secure. These eleven (22{eacfb72d0391466de53ad32732f9161f6dd55d131de873e4585b1f4e7377e6cd}) have EV SSL certificates, which validate the company is who it says it is, helping prevent copycat website attacks such as the recent delivered via the British Airways website. This is the highest proportion from any industry/sector surveyed by Trustify for this report.

• Worryingly, an additional 4{eacfb72d0391466de53ad32732f9161f6dd55d131de873e4585b1f4e7377e6cd} of the top 50 insurers use free SSL certificates. These free certificates are often exploited by phishers and copycats to be exploited as it was in the recent British Airways attack.

• Some of the world’s largest insurers promote their cyber security practices on unsecure web pages.

For insureds

• Thousands of UK business websites will stop working tomorrow when Chrome (the world’s best used browser) updates

• A data-negligent failure to resolve this will almost certainly invalidate your D&O cover and cyber risk insurance.

Steve Boland, CMO of Trustify comments:

“Other industries look to insurance to take a lead on pricing risk and mitigating risk, so to have 10{eacfb72d0391466de53ad32732f9161f6dd55d131de873e4585b1f4e7377e6cd} of the main players not taking internet security seriously is disappointing. Those insurers looking to promote their cyber security credentials need to quickly move to EV certificates where the organisation or enterprise is validated as the rightful owner of a site. This will engender trust with clients and customers and is a critical part of them promoting their own cyber security credentials.

“All but one of these major insurers have downloads or forms on their website. Providing these when there’s no security in place opens the organisations up to potential exposure to GDPR fines.

“Given the sheer volume of their business conducted online now, both B2C and B2B, it’s essential that insurers get on top of this issue as soon as possible. Additionally, commercially, in terms of SEO rankings, it could well be the difference between first place and nowhere. Those five sites who don’t provide secure websites are taking a rankings hit on Google (because Google rewards https with a higher ranking) which may well lead to a loss of new customer business.

“Interestingly, the global No.1 and No.2 brands in the insurance sector (both of which are outside this survey) display as not secure whilst they also both promote Cyber Resilience on their home page”

[/vc_column_text][/vc_column][/vc_row]]]>