How The Media Trust delivers on its promise has evolved and expanded in scope over the years. The company’s products have noticeably shifted in approach from a reactive detect-and-notify to a pre-emptive identify-evaluate-notify-and-resolve. Olson and CTO Dave Crane started The Media Trust to meet publishers’ emergent need for a systematic way to verify whether an online ad published according to the contract with the ad buyer: on the right page location, to the right audience, at the right time. Next, they pioneered malware scanning and spawned services for malware prevention, creative QA, and data protection. Today, the company helps their clients address the three dimensions of digital risks – security, privacy, and quality – from a single platform known as ‘Digital Vendor Risk Management’. “We work with most of the largest publishers, advertising exchanges, demand side platforms (DSPs), brands, and e-commerce companies”, explains Olson.
Ignorance isn’t bliss
The need to fix the internet has never been more urgent. “On the face of it, fixing the internet does sound like a ridiculous goal”, concedes Calic, but it’s the only way companies can survive in today’s competitive, more highly regulated digital economy. The best way to do it is for companies to regain control of their mobile apps and websites; the ideal starting point is to know their extended web of digital partners.
Over the past decade, companies have progressively lost track of their digital ecosystem’s partners and activities, which have multiplied under the radar. In their quest for more revenue, through richer user experience, companies increasingly outsourced the development, launch, enhancement, and management of their websites and mobile apps. “Media publishers controlled a significant majority of what was exposed to the consumer, so the threat of regulatory violation from third-party malware was minimal”, explains Olson. “Today, certainly in the ad-supported ecosystem, anywhere from 70-95% of source code that renders on the consumer website is third- to nth-party code, meaning the website operator has almost no control over what the consumer is exposed to – a huge problem when it comes to the GDPR.”
The GDPR, an EU regulation that goes into force on 25 May, protects the privacy of all EU citizens. It holds digital property owners responsible – and, therefore, subject to penalty – for any unauthorised personal data collection occurring on their digital properties by direct or indirect parties, even if they had no knowledge of the collection nor any direct possession of the data. In short, they could pay dearly – up to 4% of annual revenue or turnover (or €20m, whichever is greater) – for the known and unknown activities of known and unknown vendors.
Can the perils of non-compliance with the GDPR be overstated? O’Neill thinks not: “People need to adhere to it. It will be law. There are very real fines associated with it.” He believes companies will need to clean-up house, and many are simply unprepared for GDPR. The Media Trust developed the Digital Vendor Risk Management (DVRM) platform to help clients resume control over their digital ecosystem and comply with GDPR and other regulations. The platform is a boon for publishers, whose sites and apps too often run code they never knew existed by parties they have never met. Publishers are able to validate the ownership and activity of third-party code; execute and analyse first- through nth-party code; resolve creative quality issues and security incidents quickly without damaging relationships with their trusted vendors; share and enforce policies and industry best practices; and document vendor compliance. Ad/rev ops teams can use DVRM to generate reports they can present to top management that highlight the key role they play in managing the organisation’s digital risks. In a world where cybercrime pays high dividends and regulations are becoming more stringent, those risks are growing in numbers and complexity.
Tomorrow’s world
The likely winners of the regulatory shakeout are large organisations that have been gearing up for GDPR by operationalising their compliance strategies, as well as organisations with a wealth of first-party data, such as brands and publishers. “They have an amazing opportunity to enforce some leverage of the supply chain, instead of being beaten by the stick of viewability, fraud, and domain spoofing. Finally, they can see that they will have shared liability for this,” says O’Neill. And the likely losers? “Companies that do not have strong compliance or transparency can get hurt, and we have started to work with them,” confirms O’Neill. There will also be a corresponding shakeout among cybercriminals. Some bad actors will be forced out of the picture completely, unless they switch to higher gear with more potent malware or refocus their capabilities to do good.
The Media Trust believes that laws and compliance regulations, even security requirements revolving around legal issues, will no doubt continue to tighten in the next five to ten years. What surprises Olson is how little companies have done to up their game in managing the risks of their digital assets, the obvious targets of ever more sophisticated attack campaigns. “They think of security from the angle of preventing intrusion into the organisation’s physical structures and systems, but not its digital assets. That is scary.”
However, The Media Trust is optimistic that companies will find themselves with no choice but to retool for an increasingly regulated digital environment. “If you take your poison now, it’s going to hurt much less than if you wait longer to do it”, confirms Calic. The right tools and processes, those that go beyond frameworks and checklists, will go a long way to preventing and controlling digital risks. So too will working more closely with up- and downstream digital partners. In fact, the company has built a network of over 300 digital leaders whose businesses span the digital ecosystem and who have agreed to collaborate on enforcing policies, sharing best practices, and rooting out bad actors – all with an eye to building a healthier digital ecosystem. This community has taken a page from the community policing book by developing mutually agreed upon strategies that make systemic use of the network to pre-empt and address issues.
DVRM helps this network police its community. “I think the notion of DVRM”, explains Calic, “provides a really nice vehicle for folks to adopt industry standards and compliance and share those badges across the ecosystem. Over time, as people get more comfortable with reaching out and sharing information, driven a lot by the publishers, they will start sharing their rules, not only from a technical implementation perspective, but also from a wider compliance perspective.” By working together, they will fix each other’s digital ecosystems and, in so doing, the internet.