Security Insights & Best Practices from the 2026 Digital Trust Index
While performance and accessibility define how users interact with your site, security defines whether they should interact with it at all. In an era where data breaches cost companies millions and consumer trust is at a historic low, your website's security is the ultimate proof of your commitment to your customers.
The Oshyn Digital Trust Index evaluates this through the Security pillar, which specifically measures the defenses your website dictates to a user’s web browser.
What is the Security Pillar?
Unlike backend server security, which focuses on protecting your data "behind the door," the Security pillar in our index focuses on browser-side security. It measures how your website is built to protect users from malicious third-party attacks that occur within their own browser sessions.
Security is often a binary field in our benchmarking: organizations are either very good at it, or they aren't, with very little middle ground. Interestingly, our research shows that companies in heavily regulated industries or those that have recently suffered a data breach tend to have the highest security scores, suggesting that the impetus to improve often comes from external pressure or hard-learned lessons.
What We Measure
We analyze the protocols and permissions that your website communicates to the browser to ensure a safe session. Key areas of focus include:
- Protocol Standards: Ensuring the site exclusively uses the secure HTTPS protocol rather than the outdated and vulnerable HTTP.
- Security Policies: The presence and configuration of a Content Security Policy (CSP) and a Permissions Policy to block malicious code injection.
- Browser Permissions: Controlling what hardware and data a website can access, such as geolocation, cameras, or microphones.
- Third-Party Integrity: Monitoring for HTTP and browser security flaws that could unknowingly expose users to external actors.
Key Security Insights
Security is the pillar users assume rather than consciously evaluate — until it fails. The 2026 data reveal a market still deeply divided, with Consumer Services registering the lowest score of any industry.
39.68
Avg Security 2026
Up from 37.63 in 2025
37.63
Median Security Score
Sharply bifurcated
14.5%
Score ≥ 75
Strong performers
28.5%
Score < 25
Critical laggards
Security remains the pillar users assume rather than actively evaluate. When it fails, it defines the entire experience. The 2026 data shows a market still divided, with modest improvement. Average security reaches 39.68, up from 37.63 in 2025. This gain is real, but it does not yet signal maturity at scale.
The distribution explains the issue. The median sits at 37.63, and the pattern remains clearly bifurcated. Only 14.5% of companies score 75 or higher, while 28.5% fall below 25. This creates two distinct realities. A small group operates with strong, consistent protection. A much larger group still shows critical exposure.
This is a structural gap. Security is improving, but not evenly. Leading organizations continue to advance, while a significant portion of the market remains behind. The gap persists.
Executive Takeaway
Security defines trust when it fails. The 2026 data shows limited progress and a persistent divide. A small group delivers strong protection, while many companies still operate with critical gaps. High-risk segments remain. Consumer Services stands out. It combines visibility and usability with weak security. This creates exposure at scale. Security at the browser level must be treated as a top priority.
No Middle Ground — The 2025 Finding Holds
The 2025 report highlighted a lack of middle ground in security. The 2026 data shows a different pattern. The distribution is now heavily skewed toward higher scores, with 61.1% of companies in the 50–74 range and 79.1% reaching 75 or above. Lower score segments are smaller, with 31.5% in the 25–49 range and only 5.8% in the critical band below 25.
From the 2025 Report
There isn't much middle ground in Security scores. Organizations are either very good or they aren't. High security scores are common among organizations in heavily regulated industries and among organizations with recent data breaches. The impetus to improve security might wear off with time.
2026 Update
Consumer Services averages only 16.4 on security in 2026 — the lowest of all industries with n≥5 — despite strong performance and SEO scores. Hotels, resorts, and restaurants are easy to find and fast to load, but are critically failing to protect the browser experience once users arrive.
Security by Industry
Household & Personal Products (55.0), Food, Beverage & Tobacco (48.6), and Semiconductors & Semiconductor Equipment (47.5) lead on security. These industries show stronger and more consistent implementation of browser-level protections, with fewer critical frontend gaps.
Commercial & Professional Services (46.8), Health Care Equipment & Services (44.7), and Transportation (44.0) also perform above the overall average of 39.68. These sectors maintain more stable security practices, though they still sit below top-tier levels.
Consumer Services (16.4) stands out as the most critical weakness. This industry includes high-traffic, user-facing platforms. Users can easily access these sites, but browser-layer protections remain very low.
Automobiles & Components (20.5) and Telecommunication Services (29.2) also require attention. These industries combine active user interaction with weaker security scores, increasing exposure to frontend vulnerabilities and user risk.
| Industry | 2025 Top-20% Security? | 2026 Avg Security | 2026 Avg R-Score | n |
|---|---|---|---|---|
| Household & Personal Products | No | 55.00 | 56.33 | 3 |
| Food, Beverage & Tobacco | Yes | 48.63 | 53.42 | 19 |
| Semiconductors & Semiconductor Equipment | No | 47.50 | 53.25 | 4 |
| Commercial & Professional Services | No | 46.83 | 58.17 | 6 |
| Health Care Equipment & Services | No | 44.68 | 55.95 | 40 |
| Transportation | No | 44.00 | 51.11 | 9 |
| Financial Services | Yes | 43.27 | 52.73 | 78 |
| Software & Services | Yes | 43.12 | 48.52 | 25 |
| Pharmaceuticals, Biotechnology & Life Sciences | Yes | 43.00 | 51.70 | 10 |
| Consumer Discretionary Distribution & Retail | No | 42.17 | 48.10 | 30 |
| Banks | Yes | 41.78 | 51.56 | 9 |
| Materials | No | 41.69 | 46.77 | 26 |
| Consumer Staples Distribution & Retail | Yes | 41.14 | 36.14 | 7 |
| Technology Hardware & Equipment | No | 41.00 | 52.80 | 5 |
| Capital Goods | No | 39.51 | 48.80 | 576 |
| Real Estate Management & Development | Yes | 39.00 | 55.33 | 9 |
| Utilities | No | 38.16 | 53.79 | 19 |
| Consumer Durables & Apparel | No | 36.67 | 39.83 | 6 |
| Energy | Yes | 36.42 | 50.44 | 52 |
| Insurance | No | 34.17 | 52.17 | 6 |
| Equity Real Estate Investment Trusts (REITs) | Yes | 30.00 | 42.00 | 7 |
| Media & Entertainment | No | 29.94 | 44.71 | 35 |
| Telecommunication Services | No | 29.20 | 39.40 | 5 |
| Automobiles & Components | No | 20.50 | 27.83 | 6 |
* Sorted by security score. 2025 column references the published top-20% security list from the 2025 DTI report.
When Security Improves, It Improves Decisively
Security improvements are uneven and, in several cases, significant. Semiconductors & Semiconductor Equipment (+15.0) and Transportation (+15.4) show the strongest gains, followed by Food, Beverage & Tobacco (+9.3) and Commercial & Professional Services (+7.7). These industries are making meaningful progress in strengthening their security posture.
Other sectors show moderate improvement. Financial Services (+4.9), Software & Services (+3.5), and Pharmaceuticals, Biotechnology & Life Sciences (+2.8) reflect steady but controlled gains. Household & Personal Products (+1.7) and Health Care Equipment & Services (+1.7) show limited movement.
Consumer Discretionary Distribution & Retail (+0.2) remains nearly flat, indicating minimal progress.
This pattern does not show uniform improvement. Some industries are making strong advances, while others move slowly or remain stagnant. Security progress is real, but inconsistent across the market.
Tips and Best Practices for Improving Security
Building a secure digital experience requires a proactive approach that anticipates threats before they manifest as breaches.
- Enforce Site-Wide HTTPS: Use the HTTPS protocol across your entire website—not just on login or checkout pages—to ensure all data flowing between the server and the browser is encrypted.
- Implement a Robust CSP and Permissions Policy: Deploying a Content Security Policy (CSP) and a Permissions Policy are the highest-leverage steps for browser-side security. These tell the browser exactly which scripts and plugins are trusted, preventing malicious code injection.
- Apply the Principle of Least Privilege: Regularly review website permissions and disable access to hardware like microphones, cameras, or geolocation for any scripts that do not strictly require them.
- Vet Third-Party Providers: Only use web elements—such as video players, analytics, and embeds—from trusted providers to minimize the risk of supply-chain attacks.
- Maintain Proactive Compliance: Stay current with data security laws (like GDPR and CCPA) and regularly update cookie security and privacy policies. These are often the first visible security signals to both regulators and users.
- Prioritize Prevention Over Recovery: Don't wait for a breach to improve your posture. While companies often improve rapidly after an incident, it comes at the high cost of reputational damage and the difficult task of rebuilding fractured trust.
By prioritizing these browser-level safeguards, brands can provide a secure environment where users can engage with confidence, knowing their digital safety is a top priority.
.png?width=2560&quality=75&format=pjpg&auto=webp)
.png?width=2560&quality=75&format=pjpg&auto=webp)
.png?width=2560&quality=75&format=pjpg&auto=webp)