Pay More Attention to Web and Mobile Digital Attacks. Cybersecurity spending is on track to reach $200 billion; but much of that spending makes little difference, because businesses are falling behind cyber actors. Today, for instance, attackers are shifting from email to web and mobile applications as the preferred delivery mechanism for malware and phishing attacks.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us. As a part of this series, I had the pleasure of interviewing Chris Olson.
Chris Olson founded The Media Trust with a goal of transforming the internet experience by creating better digital ecosystems to govern assets, connect partners, and enable digital risk management. As CEO, Olson drives the company’s vision, direction, and growth plans. He has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams. Under his leadership, the company invented the first digital data compliance and malware scanning technologies, including digital media verification, ad tag malware scanning, smart phone malware scanning, COPPA monitoring and compliance, and the digital malware taxonomy. He is a trusted source for cybersecurity counsel; he regularly advises and works alongside leaders at federal, state and local law enforcement agencies to know, track, gather evidence, and prosecute cybercrime. His thought leadership in cybersecurity policy, third-party risk, and data privacy regulation is regularly sought out by leaders in Fortune 500 companies as well as industry think tanks, and the media.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I’m an Irish Catholic Bell Labs baby! My stepfather designed cutting-edge integrated circuits at Murray Hill. I grew up in a house with one person, my mom. She was always telling me to do the right thing for others and myself — even if it meant I was to take the harder path. “You can make a computer do anything”, she’d say. And to make sure that computers didn’t tell me what to do. Today, “digital” tells a lot of people what to do and think. In too many ways it creates a focus on self at the expense of thinking about others. It’s natural that I would start a company protecting people, companies, and governments from bad things in digital.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
That’s easy — The Media Trust started as the first Ad Verification company for digital. The goal was to verify that targeted paid content and advertising was running against the correct targets. To accomplish this, we became real people and profiles on the web and ran full browser scans to detect targeted content. It worked — AOL, Yahoo, and Advertising.com (a few of the biggest online companies existing at the time) signed up. The problem was that the more diverse our profiles became the more malware infected our platform. We tried every security product on the market which collectively detected roughly 2 percent of the problem — today it’s only about 5 percent.
I bootstrapped the company. Constantly buying new computers and equipment wasn’t making my “wife-to-be” happy — talk about motivation. What to do? Become a digital trust & safety company detecting malware to help companies not cause harm. We’d show our customers how they were unwittingly enabling bad actors to target people and companies with malware and unwanted content. We’d then enable them to stop it.
Fast forward 15 years targeted malware through digital is a top 3 cyberattack vector — even AV and Endpoint companies occasionally detect it. Digital trust & safety is one of societies hottest topics and greatest challenges. The Media Trust is the best company in the world at detecting targeted online, mobile attacks and unwanted content. Life works in mysterious ways. we protect billions of people and tell computers what to do.
Can you share the most interesting story that happened to you since you began this fascinating career?
A bad actor was trying to become a customer of The Media Trust to learn and bypass our technology. Coincidentally, a law enforcement agency in another country found his home. He wasn’t there, but when they investigated his computer my contact information was front and center. They sent the dossier to U.S. Law Enforcement for help and the document serendipitously crossed the desk of a cyber investigator that is a friend and colleague. My friend called me and asked if I knew the person.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
First, I would say that I am family-oriented, this fuels my passion and drive. I want my legacy to be creating a safer digital ecosystem for my daughters and future generations. Next, I think you have to be a visionary. I was 15-years ahead of the industry when I started The Media Trust; I was willing to “carry the water” to advance the concept of digital trust & safety. Owning the narrative and being willing to step out of your comfort zone when introducing new ideas to the market is imperative. Finally, I think you must be trustworthy; I make it a point to be honest and do the right thing even when no one is looking.
Are you working on any exciting new projects now? How do you think that will help people?
The Media Trust is working on some new solutions advancing digital trust & safety to safeguard some of the more vulnerable segments of our society. Sometimes digital algorithms are bullies (yes, I am personifying “AI”. It’s trained by people still) and pick on those who can’t defend themselves. Our research and daily monitoring of the digital ecosystem exposes the bad actors and points of possible intrusion. Our mission is to make the web and mobile web safer for children, the elderly, and vulnerable in addition to companies and government agencies. This means helping organizations — brands, governments, public sector, gaming, etc. — take responsibility for their digital assets that can harm consumers.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
Cybersecurity and data compliance vendors focus 100 percent on protecting “the company,” leaving little time to consider their digital impact on their customers. Business schools teach you to think about customers first. Law Schools and Cybersecurity programs teach you to protect the company. Boards and the C-suite aren’t there yet. Our secret sauce is simple, we think about our clients’ digital customers. With this driving mindset, we are the authority on targeted attacks through the digital ecosystem, websites and apps. We have 15 years of experience thinking about and protecting targeted consumers and employees. I look at cybersecurity from left-of-breach and draw awareness. It’s a fact that most malicious attack vectors throughout the digital ecosystem, are coming from the everyday content people engage with through websites and mobile apps. Companies need to think about their digital customers safety like they think about their own. Once they do, they will understand and become authorities in digital trust & safety as well.
I continually stress the risk of weaponizing enterprise websites and mobile apps to harm consumers is too great to ignore. In 2022, I hope to see more discussion about the need for digital trust & safety across industry and regulatory forums.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
At The Media Trust, we focus specifically on the unmanaged third-party code that provides rich features like data management platforms, shopping carts ,payment platforms, media rendering, advertising, and customer support on everyday websites and apps.
The security risks of third-party code are often considered in other contexts — such as App development — but are conspicuously overlooked when it comes to websites and mobile Apps.
This is a critical segment of cybersecurity as websites and Apps are made up of unmanaged third-party code. This code is designed know you and target you. It helps run digital businesses, but it’s also used by bad actors to know and attack. Third-party code has the capability to deliver targeted content to consumers including misinformation, phishing attacks, ransomware, links to fraudulent web pages, and more. Once Data Regulation implementation gets past protecting companies at the expense of consumers, you will see a requirement that all companies know what they do to their customers. You can see this evolving in pending legislation around the world like the UK Online Safety bill.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Both. For years, the web has been mostly ignored to all our peril as a channel for phishing and ransomware attacks, which are blamed on more traditional channels like email. But today, consumers and employees spend vastly more time on websites and apps than they spend reading emails — and unlike email, most organizations have not made the efforts required to secure their online domains or protect themselves specifically from targeted digital.
Most of us feel the impact of a data breach through fraudulent credit card purchases showing up in our bank account, or the bank account of a loved one: but when it comes to cybersecurity, that’s the last thing on the minds of most business leaders, who focus on shifting risk from the corporation to the individual.
This doesn’t just break the Golden Rule, it is both a tactical and business mistake. Companies can’t protect themselves from all risks equally, especially in the midst of a shifting cyber landscape. But risks that have the biggest impact on customers and consumers should take priority, and protecting their safety ensures business resilience for the long term.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Organizations need to be more focused on employee devices. The websites employees visit and mobile devices they use on these digital channels, are the next frontier for malicious actors. Organizations have fallen behind threat actors and continually find themselves responding to ransomware and encryption attacks after the fact.
To protect themselves, organizations must focus on digital as an attack vector; relying on traditional endpoint security, AV and IP/URL filtering are missing the vector. Those entities don’t focus on targeted digital attacks and so are missing data critical to protecting the company and its customers — this is dramatically exacerbated by the hybrid workforce model.
Leaders must work to gain a detailed understanding of the way that ransomware attackers compromise their systems, from the reconnaissance phase through to execution. It’s easy to overlook the importance of digital attack surfaces such as the Web and mobile devices — but this is exactly where many ransomware incidents begin.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
I’m watching the UK Online Safety Law. Unfortunately, up to now legislation has not addressed risk arising from digital third parties in a meaningful way: malicious third parties hide behind legitimate code, in the shadow IT of major businesses. Most organizations aren’t even aware that it’s happening — they don’t know who their digital partners are, much less where they are, or what they are doing with their customer’s data. Tech Leaders can help drive change here.
While GDPR and similar laws are a step in the right direction, the implementation has been to put Consent Management Platforms (CMPs) in front of unsuspecting consumers — creating a terrible experience — but more importantly simply moving risk from the company back to the consumer. Organizations who want to protect their customers must step up and take back control of their online domains. That starts by monitoring the activity of digital partners and knowing who they are.
Governments need to think about digital as an open border — one we can all agree that if open, should at least be known. State actors, organized crime and their proxies leverage digital to get source code on devices (i.e. backdoors that lead to ransomware or spyware) to target voters with disinformation to attack our corporations. This is made easier with employees working from home. National Security requires defense; knowing what source code is crossing open borders to know and impact our citizens. You can’t protect your government if you can’t protect your citizens or your expats around the world.
Finally, Web3 is more TRANSPARENT, but it is not SAFER — at least not yet. As we enter a dramatic shift toward virtual reality and blockchain finance there is an opportunity to focus on third-party code and targeted media before it is too late.
What are the “5 Things Every American Business Leader Should Do to Shield Themselves from a Cyberattack” and why?
Today’s businesses are facing cyber risks of an unprecedented magnitude, and the consequences for failing to address them can be severe. In 2021, the average cost of a data breach was north of $4 million, with the global cost of cybercrime projected to reach $10.5 trillion by 2025. If I could convince every business leader in America to take five precautionary steps, here’s what they would be:
- Consider the Consumer Perspective: Most of us feel the impact of a data breach through fraudulent credit card purchases showing up in our bank account, or the bank account of a loved one, but when it comes to cybersecurity, that’s the last thing on the minds of most business leaders. Business leaders often focus on shifting risk from the corporation to the individual.
This doesn’t just break the Golden Rule, it is both a tactical and business mistake. Companies can’t protect themselves from all risks equally, especially in the midst of a shifting cyber landscape. But risks that have the biggest impact on consumers should take priority, and protecting their safety ensures business resilience for the long term. - Pay More Attention to Web and Mobile Digital Attacks: Cybersecurity spending is on track to reach $200 billion; but much of that spending makes little difference, because businesses are falling behind cyber actors. Today, for instance, attackers are shifting from email to web and mobile applications as the preferred delivery mechanism for malware and phishing attacks.
Digital attackers have become highly sophisticated. From the backend they’re using obfuscated and polymorphic code to dodge blockers and URL filters, from the front end they are using elaborate JavaScript constructions to deceive even the most vigilant Internet users. The Browser-in-the-Browser attack is a perfect example. - Take Control of Your Digital Ecosystem: Your websites and Apps are your touchpoint to your customers. It’s not hard to explain where increased risk in the digital ecosystem is coming from. Today’s organizations are essentially outsourcing their digital properties to third parties, some of whom are malicious. For instance, 80–90% of code across Alexa 500 websites is owned and operated by someone other than the host. If 1% of this code is vulnerable to attack — which is consistent with our findings — that puts the vast majority of companies at risk of attacks originating through the digital ecosystem, from phishing attacks to inappropriate and traumatizing advertisements. Business leaders should therefore take a much more proactive approach to controlling their digital properties in whatever form they take. Websites and mobile apps are now central to the way most organizations generate revenue. Consequently, today’s businesses need a C-level executive — CDO or equivalent — who can take ownership of the digital space while guiding adoption of transformational technologies in a way that puts consumer safety first.
- Invest in Digital Vendor Risk Management (DVRM): Even after taking control of their digital ecosystem, businesses aren’t going to eliminate risk. To protect themselves, their clients, and customers, they must:
- Continually scan their digital properties for the presence of new 3rd-parties and malicious code
- Immediately block and remove bad actors on detection
- Report them to upstream ad partners so they are eliminated from the digital ecosystem
As a centralized platform for automating these functions, Digital Vendor Risk Management (DVRM) should become part of every organization’s cybersecurity and Vendor Risk toolkits
- Digital is Attacking You: You and your company are the target. Protection from targeted digital attacks is overlooked. Your office and hybrid-workforce are known and for sale — look out for those who purchase access to attack you.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
I would usher in a new era of digital trust & safety. The unmanaged digital ecosystem is the biggest miss in cyber as it enables unchecked distribution of malware and data theft.
Think about your customers. If owners of websites and mobile Apps begin to control the prevalence of unmanaged code (90 percent of executing code is from third parties outside IT’s attention) and not allow their digital assets to be leveraged to propagate consumer-harming activity, e.g., backdoors, e-skimming, ransomware, keystroke logging, phishing and so much more, we could stop bad actors in their track and make the web a much safer place.