Digital Vendor Risk Management for the Enterprise

Protecting users and organizations from unknown threats requires a different approach to digital security

With every passing year, the number and scale of breaches exposing consumer data increases, leading to lawsuits and mass negative publicity. Even with due diligence and the best of intentions, any company can fall prey to vulnerabilities via third-party vendors and applications in the highly-dynamic digital environment. Every business with a website or mobile app is at risk, especially those industries that view their digital assets as strategic revenue channels such as retail, travel, banking, and media.

The Year of Breaches

In 2018, hundreds of businesses discovered just how dangerous digital risks can be. Incidents that made headlines around the world include:

  • Magecart malware was injected into vulnerable sites through online chat programs, stealing private data from millions of users.
  • Traffic statistics code manipulated to load “cryptojacking” scripts onto websites which discretely used visitor devices to mine cryptocurrencies
  • Online rating seal provider compromised to mine a users’ financial data when shopping on infected websites.
  • Website analytics tools surreptitiously collect users’ personal information in violation of data protection regulations like GDPR

When it comes to cyberattacks, nobody is too big to fail: last year’s victims included Fortune 500 companies, government entities, public school systems, and news media.

Digital Vendor Risk Management (DVRM): The First Line of Defense

Third-party applications have made it easier for businesses to create and run dependable web platforms, comprising 50-95% of executing code. Unfortunately, they have also created a slough of risks that can’t be mitigated by traditional security practices.

With so much at stake, it might seem like a good idea to pull the plug on third-party applications altogether. But the functions these services provide – such as payment processing, ad-stream revenue, content management platforms, analytics, and product catalogs – are often indispensable. 

So what can be done?

Although businesses cannot usually alter the dependencies which support their websites, they can invest in DVRM to set up a targeted defense. DVRM enables an organization to identify, monitor, and track their third-party portfolio while mitigating the dangers of an attack through continual monitoring and analysis.

As a first-line defense for many enterprise websites, DVRM provides:

  1. Discovery and insight: captures who is operating on their digital properties, dependencies they employ, and what entities may have access to critical assets
  2. Dynamic security: tracks, records, and alerts administrators to changes in source code and other anomalous events such as parked domains (cybersquatting)
  3. Data compliance: pinpoints how user data is being tracked by vendors
  4. User experience enhancement: protects users from security threats and impediments to successful navigation, transactions, logins, etc.

DVRM Use Case: Identifying Unknowns for A Large Online Retailer

A brick-and-mortar retailer with a large eCommerce operation approached The Media Trust to investigate its website and assets to get a better handle on risk management. 

As a first step, The Media Trust scanned the website from the consumer’s point of view (using hundreds of different real-world user personas) to capture and catalog each third-party involved in rendering the consumer experience. This process yielded the following discoveries:

  • An ad platform trusted by the retailer had been using competitor services
  • An internal group added a third-party survey during the checkout process, causing an uptick in cart abandonment and corresponding revenue loss
  • Significant code bloat from third-party apps caused site performance problems 
  • Presence of domains suspected for espionage and foreign interests

After identifying their harmful impact, The Media Trust provided detailed information regarding the third-party vendors executing at crucial points of the checkout process which helped the client revise its website code, reducing impediments to the sales funnel.

Additionally, The Media Trust deployed prevention mechanisms to safeguard against future issues:

  • Regular scanning registered and alerted webmasters to changes in the website’s source code
  • Shopper execution scanning verified end-to-end authentication and encryption
  • Malware scanning revealed any anomalous code
  • Centralized repository enabled the client to share and collaborate on security guidelines with vendors

While none of the vulnerabilities found on the client’s website were serious enough to alert consumers, The Media Trust’s proactive measures ensured that small gaps in security did not escalate to larger gaps in consumer safety or the company’s bottom line.

As the old saying goes, “an ounce of prevention is worth a pound of cure.” While businesses struggle to understand what security means in an age of rampant data leaks and hefty compliance penalties, a digital risk management strategy will go a long way in preventing disasters before they happen.