Today, businesses who depend on the Internet for any portion of their revenue or marketing are struggling with more threats in the digital ecosystem than ever before.
Up to 90% of the code across consumer-facing websites is provided by digital third parties who drive advanced functionality like digital advertising, content recommendation and rich media galleries. Unfortunately, third parties also serve as the conduit for harmful activities including:
- Malicious advertising
- Unwanted redirects
- Phishing attacks on website visitors
- Debilitating UX issues
- Compromised shopping carts
The average website contains hundreds of third-party domains which change from day to day, and up to 5% of them may serve a malicious purpose at any given time.
Bad Coping Mechanisms
From a cybersecurity perspective, monitoring this code is tough: so tough that even businesses who are otherwise known for their commitment to customer safety (including credit card and financial service companies) will treat their mobile apps, websites and other online domains as an impenetrable black box.
Understandably, these businesses prefer to focus on threats that are easy to understand and mitigate (such as email attacks). If they spend any energy on digital, they will often make one or more of three mistakes:
1. Treating digital assets like a threat – rather than trying to protect their online domains from compromise, many businesses treat the domains themselves as a business risk, alongside any code executing on them.
Why it’s a mistake: when businesses treat their digital assets like radioactive hazards, they ensure that safety for the end user will never be improved. Ultimately this leads to unacceptable consequences for both the business and its customers, including negative publicity, loss of brand equity, identity theft and poor customer experience (CX).
2. Shifting the burden to the customer – instead of trying to protect their customers from the dangers inherent to compromised digital assets, many businesses will hide behind the shield of customer consent and “proceed at your own risk,” non-liability contracts.
Why it’s a mistake: in some cases, customer consent will protect a business from liability when their digital properties are compromised. But this is far from a failproof solution since data privacy legislation is complex, and many off-the-shelf solutions for capturing customer consent are flawed. Worse still, consumers will consider it your fault even if the law does not: businesses have an ethical obligation to ensure that their products – websites and apps included – are safe for customers to use.
3. Putting a band-aid on the problem – other businesses try to isolate the behavior of third-party code through a JavaScript wrapper or Consent Management Platform (CMP) rather than address the root of the problem.
Why it’s a mistake: in the first place, these solutions do not truly isolate third-parties which can still collect information from customers and contact outside domains. As a website iterates, new third-parties will also appear that are not included in the wrapper, which makes it a temporary and flawed solution at best.
Ultimately, nobody is responsible for controlling a digital property except the business that owns it, and businesses are losing the option to be indifferent. Data privacy legislation like the GDPR and CCPA has emerged precisely because businesses have been accountable to their customers.
The Key to Cyber
When all the hacky workarounds have been recognized for what they are, it becomes clear that taking control of digital assets is a better way forward that not only addresses the problem of threats in the digital ecosystem, but also helps businesses to comprehensively deal with cyber threats in a more effective manner while building their bottom line:
- Improved reputation : customer protection contributes to a reputation for brand integrity which leads to customer loyalty and repeat business.
- Better protection : by protecting digital assets, businesses gain knowledge of their digital properties which positions them to better defend against other cyber threats
- Revenue growth: digital third-parties scrape your customers for information that provides them with a competitive advantage. By removing harmful partners, brands learn more about their customers while consolidated customer intel for their own use.
If every business with an online presence woke up tomorrow and decided to take control of their digital ecosystem, not only would further data privacy legislation become unnecessary, but it would lead to better outcomes for brands and customers alike.
Opening the Digital Black Box
The key takeaway for your business is this: there are no shortcuts to opening the digital black box and unravelling its mysteries. Although doing so demands a short-term investment in time and effort, it leads to long-term gains, and businesses who wish to avail themselves of these gains should follow these steps:
- Have board-level conversations about defending against malicious/unknown third parties. Make digital security part of your company’s culture
- Scan for the presence of third-party code across your digital properties on a daily basis, and do the work to figure out who is present on your domains at all times
- Vet every third-party before allowing them onto your website
- Remove bad partners as soon as their malicious activity is detected; likewise, identify trustworthy partners and make sure to protect them
- Report bad third parties upstream to make sure they are removed from the digital ecosystem