RSA 2016 is underway with the tagline "Where The World Talks Security," but for the most part it’s just that—a lot of talk. Attendees, speakers and vendors have come from all over the world to share insight and new products with their security-minded peers, and there will certainly be a few novel takeaways as in years past, but who is serious about security and who is just putting on a show for potential clients and investors?
A few miles down the road from the event here at UpGuard, we recently introduced a new Digital Reputation web scan tool. This scanner takes a look at the externally accessible footprint of a company and analyzes it for a number of factors such as basic web security, secure email communication, and even their CEO's favorability rating among employees. You can read more about its methodology here, but suffice it to say, all of these factors contribute in a non-trivial way toward the company's future risk of a data breach or other detrimental incident. Our Digital Reputation scores are given on a scale from 0 to 950 and can be thought of as similar to a credit score for web security. And to take the tool for a spin, we put the URLs of companies sponsoring and exhibiting at RSA through the ringer.
As anyone remotely involved in security can imagine, the externally accessible scores are just the tip of the iceberg and by no means a full evaluation of a company, but can still be a useful indicator of potential problems under the hood. We do provide an internal, comprehensive scan of devices and servers, but for the purposes of this piece we're focusing solely on the external Digital Reputation score.
External Scanning as the Canary in the Coal Mine
Does the following list suggest any given company can or cannot be trusted with customer data? Certainly not—this is by no means a declaration of their internal security practices. But by the same coin, many of these enhancements such as SSL or SPF are cheap and/or relatively easy to implement as well as highly visible to potential customers and partners, so it is not easily understood how so many of them managed to skip something so simple. Indeed, the lack of something so ubiquitous in 2016 as the SSL padlock can be particularly glaring to a potential customer.
Something we found interesting during this research is that there’s really no correlation between things such as market share, company size, and company value to their basic web security score. In fact, many of the worst performers are some of the largest, highest-valued companies while smaller and lesser known firms are often among the top scorers. This gives credence to the idea that basic web security across the board isn’t limited to those with a large budget or excess manpower—it’s either something companies care to do, or they don’t.
The following scores were calculated on February 26, 2016 and may change.
Give the tool a shot for yourself and check out some of the sites you frequent. (We keep surprising ourselves with what we find.)