S'pore firms lag in online protection

update Fewer popular Web domain owners in Singapore authenticate e-mail or have strong protection for Web surfing compared to global sites, new scorecard shows.

update SINGAPORE--Top organizations in the country are lagging behind their international peers in terms of protecting consumer interests and brand recognition online, according to a new report.

Fewer than a third, or 30 percent, of owners of Singapore's top 100 most-visited Web domains authenticate outgoing e-mail, while just 2 percent secure their online transactions with Extended Validation Secure Sockets Layer (EV SSL), executives at the Online Trust Alliance (OTA) said at a briefing here Monday.

In contrast, 91 percent of the top 100 most frequently accessed retail sites worldwide authenticate their e-mail. Some 55 percent of Fortune 100 companies do likewise.

E-mail authentication, by guaranteeing the identity of e-mail senders, has long been advocated as a way to fight spam and phishing. It has also been touted as a means to improve mail filters to minimize or eliminate the problem of false positives, where legitimate e-mail is wrongly classified as junk. Internet e-mail services such as Google's Gmail, Microsoft's Hotmail and Yahoo Mail, have all adopted some form of e-mail authentication.

OTA e-mail authentication scorecard
Country/segmentRate (percent)
Internet retail 10091
Fortune 10055
Top 100 North American banks43
U.S. government agencies43
Australia40
Singapore30
India30
Malaysia29
Indonesia27
Vietnam16
Source: Online Trust Alliance, October 2009

For its e-mail authentication scorecard, OTA studied outgoing e-mail from the owners of the top 100 Web domains in Singapore, as tracked by Web statistics company Alexa. Local brands in the top 100 include DBS Bank, National University of Singapore and the Singapore Exchange.

Manish Goel, director at OTA and CEO of e-mail security vendor BoxSentry, noted that authentication is a "fundamental building block" that all organizations should adopt.

Coupled with reputation accordance, e-mail authentication would allow receiving entities to tell--based on information submitted by e-mail server administrators--who and where an e-mail came from, and assign the relevant level of security measures, such as blocking images within the message.

E-mail authentication, Goel added, involved some work obtaining DNS (Domain Name System) records, but otherwise carries "no external costs" to implement.

While Singapore's e-mail authentication rate was comparable to its Asian peers, its score leaves "significant room for improvement" given that it is recognized as an ICT leader in the region, Goel pointed out. The island-state's education and government sectors fared above average--43 percent--and 35 percent of the organizations in the respective industries authenticate their outbound e-mail.

In the financial services sector, 29 percent of organizations in Singapore have deployed e-mail authentication. E-commerce and Internet-related companies were next on the list, at 27 percent. Just 22 percent of commercial entities authenticate their outgoing e-mail.

EV SSL adoption low in S'pore
Another scorecard released by the OTA, showed that just 2.4 percent of the Singapore 100 have implemented EV SSL, which is an improvement over the SSL browser certification technology. Some domains were discounted as they did not require login information from users.

This adoption rate was "not very good", said Craig Spiezle, OTA's executive director. The top 100 Internet retail sites worldwide had an EV SSL adoption rate of 13.3 percent, while the top 100 sites rated by Twinkle Magazine in the Netherlands registered a rate of 12.1 percent. German banks led the global pack with a staggering 80.3 percent EV SSL adoption.

In absolute terms, only two Singapore sites among the 100 had implemented the newer browser certification technology, he said. One was an e-commerce site, while the other belonged to a government organization.

Goel added that in the context of financial institutions, EV SSL played a role in deterring man-in-the-middle attacks. As EV SSL certification requires information such as tax records and a physical address, there is a higher degree of certainty for consumers that the organization they are transacting with is legitimate.

According to Goel, the low adoption could be due to a lack of awareness. EV SSL certificates also costs "significantly more" than SSL certificates.

Authentication for all outbound e-mail and implementation of EV SSL certificates for all e-commerce and consumer financial services sites, are among 13 key principles the OTA established in April to foster online trust and protect personal data of consumers.

Also Monday, the Direct Marketing Association of Singapore announced that it would support the OTA's online trust principles. Association Chairman Lisa Watson said the body for marketers would not mandate compliance with all of OTA's principles or specify a specific timeframe to do so, but educate its membership to adhere where appropriate.

DMA currently requires its members comprising 55 companies and five individuals, to adhere to a Code of Practice, and is working to update its guidelines to reflect digital channels, added Watson.