Michael Bittner

Web Security and Revenue: Why Protecting Your Digital Domain Isn’t Optional

Talking about web security with executives is difficult: to many, it’s an abstract subject mired in Greek. Cross-Site Scripting, SQL Injection, third-party code – who knows what that is and who cares? But it’s hard to be flippant when you realize how much a modern organization’s revenue depends on the security of its website. After all, more than 80% of consumers research a business online before they’ll pay for a product or service.

That part of the equation should be obvious. A website is a universal storefront reached through SERPs: a centralized hub for advertising, customer support, reviews, user resources and so much more. Without a website, some businesses have no revenue whatsoever across eCommerce, publishing, and some entertainment niches.

But for the sake of this article, let’s talk about the way web security impacts everyone – yes, everyone, from news organizations to car companies and global conglomerates –  beginning with one simple observation:

Consumers Care About Security

Consumers may not be careful with their credit cards, but they care about the security of a business – so much, in fact, that 84% of them won’t make purchases from a site without SSL or some other security certificate. That’s right: one little icon in the corner of a web browser can make or break a company’s bank account.

Imagine how they feel about data breaches. Better yet, look at the numbers: according to Security Magazine, 36% of consumers would stop engaging with a brand after a publicized breach, and 78% would stop interacting with it online. This roughly corresponds to the drop in revenue organizations experience in the aftermath of a breach.

Don’t think it can happen to you? Last year, the chance of experiencing a breach climbed to 29.6% from 27.9% in 2018. The chances are increasing every year, and most of them happen through domains compromised by malware or malicious actors.

Prevention is Cheaper Than Treatment

As we’ve just established, brands pay for lax web security through lost business. They also pay the price of remediation, which comes in the form of payouts, back-charges, investigations and patching up their digital properties. This “learn-as-you-go” approach is a major setback, costing an average $8.19 million in the U.S.

The old saying that “an ounce of prevention is worth a pound of cure” definitely applies on the Internet. Ten years of web security investment in encryption, scanning and blocking is cheaper than waiting for disaster to strike and recovering over a period of months.

Data Privacy Fines Are Real

Emerging data privacy legislation around the world – from GDPR to CCPA – comes with fines for any organization that allows its user data to be stolen or compromised. Before GDPR went into effect, there was plenty of idle speculation that its fines couldn’t be enforced. But time has revealed otherwise, as fines exceeding $200 million were issued last year against organizations not located in Europe.

With talks of similar legislation on a federal level in the U.S, brands and publishers around the world can no longer ignore the fact that protection for their digital properties is not optional. The cost of lax web security was exorbitant long before GDPR: now it can bankrupt an organization.

Attacks Are Common

It’s cliché that technology moves faster than businesses can keep up with it, but it’s a true cliché. If executives aren’t concerned about web security, it’s probably because their minds are stuck in the 1990s when “hacking” was an exotic word, and the concept of web attacks was a far-off possibility.

Today – thanks to the web’s open design, the propagation of third-party code (3PC) and widespread digital literacy – web attacks are depressingly common. For instance, security researchers have long known that 90% of the login attempts across eCommerce sites originate from cyber criminals.

But it doesn’t take any kind of skill to breach modern websites – in fact, it barely requires stealth. 3PC – in the form of advertising, content recommendation, media code and JavaScript libraries – provides a simple route between malicious actors and a website’s userbase. It also constitutes 80 – 95% of the code across major websites.

Now that 1 in 5 ads are infected with some form of malicious code, the chance that any website will be subjected to an attack on any given day is nearly 100%. It should be clear that businesses who don’t take web security are literally gambling with their revenue, customers and investors.