Today, businesses who depend on the Internet for any portion of their revenue or marketing are struggling with more threats in the digital ecosystem than ever before.
Up to 90% of the code across consumer-facing websites is provided by digital third parties who drive advanced functionality like digital advertising, content recommendation and rich media galleries. Unfortunately, third parties also serve as the conduit for harmful activities including:
The average website contains hundreds of third-party domains which change from day to day, and up to 5% of them may serve a malicious purpose at any given time.
From a cybersecurity perspective, monitoring this code is tough: so tough that even businesses who are otherwise known for their commitment to customer safety (including credit card and financial service companies) will treat their mobile apps, websites and other online domains as an impenetrable black box.
Understandably, these businesses prefer to focus on threats that are easy to understand and mitigate (such as email attacks). If they spend any energy on digital, they will often make one or more of three mistakes:
1. Treating digital assets like a threat – rather than trying to protect their online domains from compromise, many businesses treat the domains themselves as a business risk, alongside any code executing on them.
Why it’s a mistake: when businesses treat their digital assets like radioactive hazards, they ensure that safety for the end user will never be improved. Ultimately this leads to unacceptable consequences for both the business and its customers, including negative publicity, loss of brand equity, identity theft and poor customer experience (CX).
2. Shifting the burden to the customer – instead of trying to protect their customers from the dangers inherent to compromised digital assets, many businesses will hide behind the shield of customer consent and “proceed at your own risk,” non-liability contracts.
Why it’s a mistake: in some cases, customer consent will protect a business from liability when their digital properties are compromised. But this is far from a failproof solution since data privacy legislation is complex, and many off-the-shelf solutions for capturing customer consent are flawed. Worse still, consumers will consider it your fault even if the law does not: businesses have an ethical obligation to ensure that their products – websites and apps included – are safe for customers to use.
Why it’s a mistake: in the first place, these solutions do not truly isolate third-parties which can still collect information from customers and contact outside domains. As a website iterates, new third-parties will also appear that are not included in the wrapper, which makes it a temporary and flawed solution at best.
Ultimately, nobody is responsible for controlling a digital property except the business that owns it, and businesses are losing the option to be indifferent. Data privacy legislation like the GDPR and CCPA has emerged precisely because businesses have been accountable to their customers.
When all the hacky workarounds have been recognized for what they are, it becomes clear that taking control of digital assets is a better way forward that not only addresses the problem of threats in the digital ecosystem, but also helps businesses to comprehensively deal with cyber threats in a more effective manner while building their bottom line:
If every business with an online presence woke up tomorrow and decided to take control of their digital ecosystem, not only would further data privacy legislation become unnecessary, but it would lead to better outcomes for brands and customers alike.
The key takeaway for your business is this: there are no shortcuts to opening the digital black box and unravelling its mysteries. Although doing so demands a short-term investment in time and effort, it leads to long-term gains, and businesses who wish to avail themselves of these gains should follow these steps:
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.