Talking about web security with executives is difficult: to many, it's an abstract subject mired in Greek. Cross-Site Scripting, SQL Injection, third-party code – who knows what that is and who cares? But it’s hard to be flippant when you realize how much a modern organization’s revenue depends on the security of its website. After all, more than 80% of consumers research a business online before they’ll pay for a product or service.
That part of the equation should be obvious. A website is a universal storefront reached through SERPs: a centralized hub for advertising, customer support, reviews, user resources and so much more. Without a website, some businesses have no revenue whatsoever across eCommerce, publishing, and some entertainment niches.
But for the sake of this article, let’s talk about the way web security impacts everyone – yes, everyone, from news organizations to car companies and global conglomerates - beginning with one simple observation:
Consumers may not be careful with their credit cards, but they care about the security of a business – so much, in fact, that 84% of them won’t make purchases from a site without SSL or some other security certificate. That’s right: one little icon in the corner of a web browser can make or break a company’s bank account.
Imagine how they feel about data breaches. Better yet, look at the numbers: according to Security Magazine, 36% of consumers would stop engaging with a brand after a publicized breach, and 78% would stop interacting with it online. This roughly corresponds to the drop in revenue organizations experience in the aftermath of a breach.
Don’t think it can happen to you? Last year, the chance of experiencing a breach climbed to 29.6% from 27.9% in 2018. The chances are increasing every year, and most of them happen through domains compromised by malware or malicious actors.
As we’ve just established, brands pay for lax web security through lost business. They also pay the price of remediation, which comes in the form of payouts, back-charges, investigations and patching up their digital properties. This “learn-as-you-go” approach is a major setback, costing an average $8.19 million in the U.S.
The old saying that “an ounce of prevention is worth a pound of cure” definitely applies on the Internet. Ten years of web security investment in encryption, scanning and blocking is cheaper than waiting for disaster to strike and recovering over a period of months.
Emerging data privacy legislation around the world – from GDPR to CCPA – comes with fines for any organization that allows its user data to be stolen or compromised. Before GDPR went into effect, there was plenty of idle speculation that its fines couldn’t be enforced. But time has revealed otherwise, as fines exceeding $200 million were issued last year against organizations not located in Europe.
With talks of similar legislation on a federal level in the U.S, brands and publishers around the world can no longer ignore the fact that protection for their digital properties is not optional. The cost of lax web security was exorbitant long before GDPR: now it can bankrupt an organization.
It’s cliché that technology moves faster than businesses can keep up with it, but it’s a true cliché. If executives aren’t concerned about web security, it’s probably because their minds are stuck in the 1990s when “hacking” was an exotic word, and the concept of web attacks was a far-off possibility.
Today – thanks to the web’s open design, the propagation of third-party code (3PC) and widespread digital literacy – web attacks are depressingly common. For instance, security researchers have long known that 90% of the login attempts across eCommerce sites originate from cyber criminals.
Now that 1 in 5 ads are infected with some form of malicious code, the chance that any website will be subjected to an attack on any given day is nearly 100%. It should be clear that businesses who don’t take web security are literally gambling with their revenue, customers and investors.
by MICHAEL BITTNER
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.