This article by Chris Olson was originally published in CSO on January 12, 2018
There’s no escaping it: costs to recover from a cyber incident continue to mount, projected to reach $8 Trillion by 2022 according to Juniper Research. Enterprises can’t keep pace with the increasing sophistication and cadence of internet-attacks, which are orchestrated by leveraging the components involved in everyday website functionality.
Information security is a growing, multibillion dollar business. Yet, the hits keep coming, with numerous high-profile breaches in 2017 generating unwanted front-page news for Equifax, Dun & Bradstreet, U.S. Securities and Exchange Commission (SEC), Deloitte, Whole Foods Market, Hyatt Hotels, Uber, and Anthem, among others. While there are many facets to the security problem, the digital environment proves to be the most elusive. In fact, the past 12 months bore witness to countless man-in-the-middle attacks, vendor compromises and bots to harm to consumers and employees alike, grabbing credit card data, enslaving system resources, and so much more.
Something is wrong. Could it be that security providers don’t have solutions to address today’s malware problems?
Broken promise of information security in a digital world
For years, security companies have eulogized the necessity and superiority of their tools and monitoring systems, providing one-stop-solutions to an array of security woes. While those claims may have been valid at one time, they are no longer true. The advent and ubiquity of the Internet to everyday activity changes the attack surface and this highly-dynamic digital environment introduces a complexity that eludes many—IT professionals and solution providers alike.
This disconnect between market needs and available solutions is most apparent in corporate websites. To render a page, websites utilize a range of code; however, most of this code is not owned and operated by the enterprise. Think about it. Everyday services like content management systems, data management platforms, social widgets, blogging platforms, are sourced outside the enterprise. Indeed, 50-90% executing code is provided by third parties, who in turn can call fourth and fifth parties.
These third parties are a problem for traditional application security tools or “appsec,” which can typically only monitor code provided by direct vendors. These tools are not able to see past the first (sometimes second) party and, therefore, don’t have a comprehensive view of the entire digital supply chain involved in rendering each web page. As a result, only the owned and operated website code is scanned, reviewed and deemed safe, while ignoring the upstream supply chain vendors that serve shopping carts, videos, search and numerous other required functionality. This blind spot means these vendors can be compromised with little chance of being caught before causing significant harm.
And, harm they do cause, as reflected in the variety, size and frequency of attacks. It is not that cybercriminals are significantly more talented; the problem is that the tools offered by one-stop-shop security providers have not evolved to address the changing infrastructure: digital. Obviously, security providers can’t secure the digital economy with their server-side tools if they can’t see, let alone monitor, the executing code.
Websites are only as secure as the least secure code
The digital economy is under threat. The complexity of securing the digital environment is difficult to master. Not only do traditional security products fall flat but also various digital providers (like tag managers, ecosystem mappers and consent platforms) have been known to lead enterprises astray with assurances of their security capabilities. Word of caution: just because a vendor operates in the digital environment doesn’t mean they can see the full execution supply chain required to provide comprehensive digital security.
To mitigate risk and lock out cybercriminals, website operators need to transform their approach to securing the digital environment. This means knowing exactly what your customers experience, because you can’t secure what you don’t know. The first step is to identify owned and operated website code and then compare it to what actually executes on customers’ browsers outside the firewall—the disparity can be eye opening. Then, analyze the heretofore unknown vendors, which may require research to understand their purpose/activity on the website, which vendor called them, and any potential risk they pose to the enterprise, employees, partners or customers. The next step requires deciding if the vendor should be allowed to execute on the corporate website. Finally, vendors providing necessary value to website functionality should know your security expectations. Sharing your requirements with third parties goes a long way in demonstrating reasonable care for protecting consumers, which can help mitigate liability should something go wrong. And, it will.
Purifying the digital environment
Ongoing news about cyberattacks has a desensitizing effect. The problem is getting worse, but the frequency leaves many security providers feeling ambivalent or helpless. That isn’t the case.
Strong IT governance practices require comprehensive security for the digital environment, which means all website and mobile app code is reviewed, approved and monitored. This way, companies can hold third-party vendors responsible for complying their policies and actively block and formally terminate relationships with those that don’t live up to your standards.
A true, multi-faceted digital risk management program takes a proactive approach to cleaning up corporate websites while securing the corporate risk posture and protecting customers.