The hand that rocks the data rules the world
By Chris Olson, CEO of The Media Trust
Money may equal power, but in the digital landscape user data is the only real currency. Back in the day the bad guys robbed brick-and-mortar banks. Fast forward to today, and the bad guys now sit at desks (or recline in beach chairs) lurking behind the scenes tracking, trailing, and hijacking valuable information about your website and mobile app users. What’s the big deal? In a nutshell, wherever there’s data, there’s also significant risk and companies must take immediate measures to better protect the information collected, used and/or shared via consumer-facing digital assets or face a publicity nightmare, lawsuits or worse.
Securing Digital Assets
As security teams lead digital transformation efforts, they need to understand that their websites and mobile apps are where security and data concerns converge. For in the internet age you can’t address one without the other. A key component of digital asset security requires identifying all parties that execute in the website or mobile app and evaluating their relevance to digital content delivery, including their collection of personal data. At the same time, compliance with various compliance regimes requires identifying and securing all user data, especially that which occurs in enterprise websites and mobile apps. A failure in either security or data protection is almost always due to a failure in the other.
Constant breaches, along with evolving data protection requirements like GDPR and the upcoming California Consumer Privacy Act (CCPA), have already exposed the lack of effective digital asset governance across enterprises, with several investigations underway and the beginnings of financial penalty announcements. What’s interesting is that the majority of these investigations are due to the breach provision of various regulations where consumer data is not properly secured. And while it may seem like GDPR is just an EU regulation, it can gravely impact US companies with European operations. A new era has dawned and protecting consumers in the wake of major data breaches is now a requirement. Yet, digital assets continue to collect personal data, often without the knowledge of the host enterprise.
The Code Conundrum
Traditionally, businesses of all types and especially those at the enterprise level, have not had comprehensive visibility into their websites and mobile apps. Data collectors and cybercriminals are, typically, the only two parties with sophisticated enough knowledge of the dynamic code required to target consumers and render today’s customized user experience, and therefore, know how. Armed with this insight, cybercriminals are able to exploit the code while evading detection. They use this expertise to collect data from one website and then retarget consumers through another website or channel, i.e., email. Complicating matters is the fact that anywhere from 50-95% of code on websites or mobile apps is provided by third-party vendors who operate outside the enterprise IT infrastructure and are not visible to enterprise IT teams.
This reliance on third-party code creates a false sense of security because most IT professionals believe they are responsible only for the code they contribute—own and operate—to the digital asset, which in reality is only a small fraction of what the consumer experiences. With such a high level of cyber exposure in all levels of business operations, it’s imperative that company leaders not only pay attention, but begin taking immediate action to mitigate the many risks involved with actual operation and management of the holistic digital asset—basically, adapting third-party vendor risk management for the digital environment.
Shirking cyber responsibility in the beginning is easy, but the hard part comes when vulnerabilities are leveraged and embarrassingly exposed to the public. In most instances, the failure to enforce vendor management policies can and has gravely damaged the reputation and bottom line for organizations who don’t manage their digital vendors. And the same is true for companies that drag their feet when it comes to reporting on breaches. Even in the wake of GDPR, 2018 saw minimal improvement in the time it took organizations to publicly disclose such an event, with the average reporting time remaining around 48 days.
For a little more perspective on the issue, take a moment to consider how factories used to operate. During the heyday of the first industrial revolution, people would put their factories on the river to facilitate waste removal. Fast forward to the present, regulations now exist to prevent this kind of mindless pollution. Currently any company if caught, that illegally dumps waste, would be put out of business. While it may sound like an extreme example, dumping factory waste into the river is not unlike neglecting security policies that should be designed to protect both the general public and corporate revenues. Similar to the institution of environmental protection laws, public pressure is leading to the advent of data protection laws and soon where there will be no acceptable excuses for security and data protection failures in websites and mobile apps.
Effective security and vendor management policies treat every component of a corporation’s digital asset like it’s going to instantly become part of a hostile takeover. When security leaders keep this mantra in mind, it becomes much easier to design and plan accordingly. The challenge for most businesses is that they now have to pay attention to which suppliers are involved in their digital environments, how they’re operating, or what kind of security practices they might have in place (if any).
Companies like Yahoo, Equifax, and other big named companies, restaurants, and government agencies are now paying for that oversight.
Legal Oversight – Authorities are paying attention
The recent 3ve and Methbot botnets case, in which eight individuals were indicted for their roles in widespread digital advertising fraud, is a prime example of how the FBI is working towards better data protection and regulation.
It’s not just the large enterprises being scrutinized; app developers are getting their share of the spotlight as well. The average mobile app contains 18 software development kits (SDKs), which means that the likelihood of unethical data collection beyond performance analytics is far greater than it seems. The recent fiasco in which app developers were handing over data to Facebook even if the app user was not a registered Facebook member, or if Facebook never asked for the data, is a prime example.
Selecting Security-minded Suppliers
It all centers around a basic risk management tenet: Companies need to know who they’re doing business with. It’s essential to understand the impact that each and every supplier could possibly have on a business’ digital assets. Aligning standards and expectations with each vendor means that the organization’s entire digital ecosystem gets a whole lot safer. While it won’t completely eliminate risk, it will drastically cut it, and will also free up security teams to spend more time mitigating and responding to issues rather than constantly reacting to crisis management scenarios. It’s no longer acceptable for companies to ignore the fact that they have a website or an application that often contains dozens of vendors and hundreds of lines of unique code to render a single page. Because most of this code is created and maintained through the supply chain, ignoring security policies is simply not an option.
Securing the Digital Supply Chain
Companies can shore up their digital security posture by taking a few basic steps to gain more insight and control of their digital assets:
1. Know your digital vendors. It also means identifying each and every supplier and continuously vetting the supplier to gain as much insight as possible into their security policies, and then ensuring that they’re aligned with the organization.
2. Develop policies for digital vendors through third-party vendor risk management. In-depth security policies should be able to prove that a company has taken due care in securing customer data as well as compliance with new data security regulations. appease some new standard or regulation.
3. Enforce policies. Communicate policies across every aspect of your digital supply chain, and not just the 5% of code the company might actually manage through a contracted relationship. Once policies are put in place, vendors must be monitored in order to maintain compliance; and if they don’t adhere to security policies, then they should be well aware of the ramifications including being excluded from the supply chain. Wrangling control of the corporate dynamic digital ecosystem is hard, but, the preventative effort can prove to be a competitive advantage as well as a brand enhancement for customers.
About the Author
Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable Digital Risk Management. Chris has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams. Prior to The Media Trust, Chris created an Internet-based transaction system to research, buy and sell media for TV, radio, cable, and online channels. He started his career managing and setting up security structures for equity and fixed income electronic trading desks for Salomon Brothers, Citibank and Commerzbank.