Hacktivists, cybercriminals, disgruntled employees and even students deface websites as a satisfying pastime. Much like spraying graffiti across a storefront or government building, cyber attackers deliver in-your-face messages to not only your market but also the internet at large. What’s worse is that you might not even know about it until customer complaints begin to roll in. Clearly, these are high stakes for a small or medium-sized business that relies on the internet as a revenue channel and brand ambassador.
Stakes in the Digital Economy
One percent of all websites have been hacked over the previous 18 months according to researchers at the University of California.[i] In addition, websites are, on average, attacked 22 times per day or more than 8,000 times per year, according to a report from SiteLock.[ii] This barrage of attacks includes websites supporting ecommerce, government agencies, school systems, corporate enterprises and more. Not only do cybercriminals target large companies, but they also go after small companies with fewer, if any, IT personal, making those websites even easier to crack.
The ability to hijack legitimate websites to execute individually-targeted malware attacks is easier than most IT/security professionals realize. The process to deliver customized, browser-rendered content is the same one leveraged by bad actors to target their campaigns. Unfortunately, traditional security tools—blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls—are proving inadequate defenses for today’s dynamic websites.
The Bullseye
In the current digital environment traditional security tools fail to keep up while security standards and best practices are woefully out of date, rendering general security practices ineffective against emerging threats.
Adding to this risky scenario is that securing a website is often an overlooked aspect of IT and one in which the complexities are almost always underestimated.
Typically, businesses only monitor their website’s owned and operated code, yet most consumer-facing sites adopt plug-ins and other third-party content services—video or image hosting, social widgets, analytics, data management platforms, payment processing, etc.—whose code execution is not readily visible to IT and, therefore, outside of their control. This third-party code, sometimes referred to as shadow IT, can account for almost 75% of a website’s code which means businesses only have a view into 25% of the code executing on their website. This shadow IT is a sizeable hole and one that opens the door to attackers who leverage its vulnerabilities to mount stealth attacks.
When third-party vendor code is compromised, so is the enterprise’s digital ecosystem. Control over the risks posed by digital solution providers can also make the difference between a secure user experience and a widespread malware attack. Regardless, the onus is on websites to embrace a security-first approach to design and user experience.
Security Starts with Your Partners
Applying a vendor risk management approach to digital assets is the first step to security. The internet is a highly-dynamic environment, requiring dozens of ever-changing vendors to serve content and execute functionality for each individual consumer. The big issue is getting a handle on exactly which vendors contribute code to the website. Websites should recognize their own code and second-party vendors that they work with, but will likely be in the dark regarding the third, fourth and fifth-party vendors called to execute any additional code.
Once these vendors are identified and documented, companies can establish and communicate policies that detail security, privacy and performance requirements. This will help protect the website operator from liability should a security incident or breach occur via compromised third-party code. With the digital policy in hand, you can monitor vendors for compliance and terminate relationships that don’t fall in line with your own risk policy.
Large and small companies alike need to be aware of the complexity of their own digital ecosystem in order to secure it. This is a challenge for not only security but also ensuring compliance with evolving data privacy laws and regulations. Taking every precaution to ensure the safety of customer data will protect not only the customers, but also the core business itself.
[i] http://jacobsschool.ucsd.ecu/news/news_releases/release.sfe?id=2396
[ii] https://blog.sitelock.com/2017/07/security-by-obscurity-q2-2017/
