Article originally posted on Forbes.
This year has been a watershed for rising cybersecurity awareness. Following attacks involving SolarWinds, Kaseya, Colonial Pipeline and a Florida water-treatment center, businesses and consumers are becoming warier of ransomware, data breaches and foreign cyber actors than ever before.
In 2020, more than 30 billion records were compromised in data breaches, and over the past year, the cost of ransomware attacks has increased by an estimated 300%. In order to change direction, good intentions won’t be enough. Today’s CEOs and legislators must be prepared to address our cybersecurity crisis at the root: an unregulated digital ecosystem that is full of vulnerable code.
Moving Past Email
Whenever a major cybersecurity incident has occurred in the past, it has been common for cybersecurity influencers to warn about the dangers of email. True, many ransomware attacks have begun when unsuspecting employees clicked on a malicious link sent to them by strangers.
But while the danger of email is real, it isn’t the only source of cybersecurity risk, nor is it the worst. Focusing on email alone leaves organizations blindsided when attacks come through a different channel. Before the attack involving SolarWinds, very few businesses were watching their software supply chain. Now, supply chain issues have gained the spotlight, culminating in an executive order from the Biden administration that aims to ramp up vendor scrutiny throughout federal organizations. This is an encouraging and necessary change in direction — but it’s just the tip of the iceberg.
The Web Supply Chain
At this point in the history of digital code, third-party vendors have become the norm rather than the exception. Not only are they present across websites and mobile applications, but also they often handle the bulk of user functionality. Examples include:
- Shopping cart and payment features.
- Video and media rendering.
- Advertising and monetization.
- Chat and customer support.
- Customer relationship management.
Like third-party software in an enterprise environment, third-party code isn’t without risks. In recent history, I’ve seen third-party code has been used to launch card-swiping attacks across thousands of websites, steal sensitive information through digital wallets and collect the IP addresses of web users in preparation for a future cyberattack.
In July, nearly 65% of websites contained some vulnerability related to third-party code. Despite this, very few businesses pay attention to the vendors that are present across their digital properties. If that doesn’t change, I believe this oversight will remain a serious threat to consumers and businesses.
Why Web Is More Dangerous Than Email
Through third-party assets, the web can be used by malicious actors to track, target and deliver malware payloads to users. That means there’s essentially nothing malicious actors can accomplish through email that they can’t also accomplish by targeting websites and mobile applications.
But unlike email, the web doesn’t have a spam filter and many people spend at least five or more hours on their mobile devices per day. Not only does this make phones an ideal channel for phishing, ransomware and other common styles of cyberattack, but also more insidious attacks. For instance:
- The creation of massive botnets for DDoS attacks.
- Collection of sensitive information from government leaders, executives and other individuals in a position of power.
- Reconnaissance against organizations as an entry point for further data collection and attacks.
- Activities targeted toward children, minorities and other vulnerable groups.
From my perspective, these systemic vulnerabilities in our “digital ecosystem” have gone mostly ignored for a long time. But as the social and monetary cost of malicious cyber activity increases, organizations can’t afford to ignore it any longer.
Embracing Consumer Responsibility
In 2021, I’m finding that businesses are still struggling to embrace their responsibility to consumers. While tentative steps have been taken in the form of responsible advertising and data privacy legislation, I believe these are ultimately half measures when the greatest risk to their privacy, financial security and personal safety goes unaddressed.
Unmonitored third-, fourth- and fifth-party code can leave consumers completely open to surveillance and attacks through their mobile devices and web sessions, whether they’re browsing social media, news and entertainment sites, or even their favorite brands. To ensure the sustainability of the web as a marketing channel, businesses will have to take responsibility for this problem.
In the long term, we’re overdue for a conversation between legislators, law enforcement officers and business leaders about the risks in our web supply chain. In the short term, organizations should take their moral obligation to customers seriously and put their safety first. By simply monitoring digital assets for malicious activity, they will be taking a big step in the right direction.