Digital Shadow IT is a Big Problem

Authored by Chris Olson, CEO of The Media Trust.  

Websites aren’t what they used to be. It seems that a few years ago, consumers just clicked on a link and bought their desired products. This has now transformed into a fully-fledged user experience replete with product research, video displays, reviews, image libraries, advertising and so much more. Accommodating customer needs and creating this rich tapestry of virtual promotional content and merchandise requires a variety of functionality. These new functionalities, however, are not as homegrown as they once were, presenting a bevy of risks to the enterprise. Managing these new-found digital risks starts with knowing who executes in your environment at all times in order to ensure it is free of malware, performance-sapping vendors, and privacy-violating data collection activities.

Third-party code is out of control

The digital environment has experienced a paradigm shift. At one time 90% of all code executing on a typical website was owned and operated in house. Today, that figure has almost been completely inverted with anywhere from 50% to 95% of code now provided and managed by third parties that deploy their applications outside of the purview of the website operator’s IT, data privacy and security infrastructures. Unknown to and unmanaged by IT, this third-party code becomes a significant contributor to the “digital shadow IT” problem.

The problem with digital shadow IT is that it is frequently targeted by hackers and cybercriminals who—hoping to evade detection—continuously probe those applications for vulnerabilities to inject malicious code. 

It happens more than you think. In 2018 alone, multiple content management systems, website analytics and tools, and online chat features were infiltrated and/or spoofed to profile visitors and inject malware onto devices of consumer, corporate and government-affiliated individuals. 

Trust is not a security policy

Many enterprises rely heavily on third-party services to render their websites and applications. From data management platforms, content delivery networks, automated marketing services, video hosting platforms, product reviews, to social media tools and more, third-party code permeates almost every consumer-facing website and mobile app. The problem is that these services can unintentionally function as a conduit for malware and latency, as well as surreptitiously monetize and track consumers' behavior on the site. Because they operate outside the enterprise cybersecurity infrastructure, the website operator’s IT or marketing teams have no visibility or control over this vendor activity, nor what the consumer sees in their browser.

As more consumers use digital channels to search, compare and buy goods, the industry needs to adopt quality and security best practices. A hacked website, even for a few hours, results in lost transactions—those few hours negatively affect consumer confidence, which can translate into millions of dollars of lost revenue.

Better control yields better results

To protect the brand and ensure a safe browsing experience, enterprises must establish and maintain a strong website security posture as defined by standard IT/Infosec practices. Strong governance sets the processes and cadence for detecting the presence, identifying the actions, and evaluating the validity of the third-party vendors.

Prevention boils down to deployed policies and processes that help curtail the odds of an attack based on known entities and confirmed threats. However, that becomes more complex with unknown entities or yet to be confirmed threats.

6 Questions to drive better website security

The ability to effectively secure a website requires intricate command of the technology, processes and vendors needed to render pages that not only meet revenue goals but do so without compromising the user experience. This means websites must be free of malware, performance-sapping vendors and privacy-violating data collection activities.

The best defense is information. The ability to identify third-party vendors (and the fourth and fifth-party vendors they call) is half the battle. Continuous monitoring of the website from your customers’ points of view will detect all executing vendors, and how these vendors and/or their actions—specifically the domains executed and cookies dropped— change according to user geography, OS/browser, device and established internet behavior profile.

Collecting the right vendor intelligence will help enterprises answer the following six questions about each vendor contributing to their Digital Shadow IT:&

  1. Who is executing on my website?
  2. What requested functionality is the vendor providing?
  3. Who in my organization requires/authorizes this functionality?
  4. Does the vendor execute additional unwarranted functionality, e.g., social media widgets dropping cookies, video platforms tracking user behavior beyond the session or backend analytics launching executables?
  5. Do these vendor activities comply with company and regulatory policies?
  6. How and when does the authorized behavior change?

Unless security professionals have a true digital risk management program in place to monitor all code executing on their website using multiple user profile combinations, there really is no other way to defend their websites against breaches. This preventative stance is especially valuable for ecommerce website security, where there is a direct impact on revenue, reputation and sensitive customer information.

LEARN MORE AT RSA (R). Schedule a demo for 2019.