By Chris Olson, CEO of The Media Trust 2018 was not a year that inspired confidence in our digital ecosystem. The passage of a data security and privacy law like the UK’s General Data Protection Regulation (GDPR) hasn’t made a dent in data breaches. In fact, the total number of personal records exposed more than doubled, no doubt fueled by earlier data breaches, the increased availability of tools for attackers, and an ever-expanding list of potential attack vectors. The number of hacks and breaches tells us something about the way businesses are running their digital properties: websites and mobile apps are vulnerable. According to a recent study, 1% of sites across the web are infected with malware at any given time, and only 15% of compromised domains are blocked by browsers. This problem is exacerbated by complacency: if companies would keep tabs on vulnerabilities and regularly update their software, attacks would succeed less frequently – right? While there is a grain of truth to it, the full story is a lot more complex and vexing thanks to third-party code vulnerabilities. The Iceberg of Web Development The web development stack is tall. Unfortunately, operators only see the tip of a very large iceberg of code that makes today’s websites and mobile apps engaging—i.e., content recommendation engines, customer identification platforms, social media widgets, and video platforms, to name a few--and optimizes B2C interactions—i.e., content delivery network, marketing management platforms, consumer tracking data, data analytics, and more. The ubiquity of CMS platforms and their plugins has made them popular targets for professional hackers and script kiddies alike. Earlier this year, 600,000 sites were compromised when a former employee defaced the WP Multilingual (WPML) plugin. Last year, similar incidents occurred on a monthly basis. An organization’s digital ecosystem is often dominated by digital third parties, who run code outside the organization’s IT perimeter. A business that cannot see what all their digital third-parties are doing on their website, has no control over their digital ecosystem. With no means to monitor and keep in line all the code that runs on a website, carefully vetting third-party code suppliers is a good first step, but hardly a complete solution. These third-parties often bring to the party their own vendors, whose code is also largely untested and unmonitored. The result is a website that collects information from users often without the knowledge of users’ or the website owner’s. How Third-Party Code Dominated the Digital Scene Today, very few businesses build a website from scratch. The demand for a rich user experience and for a variety of website analytics far exceeds the capabilities of most companies. Over the past two decades, outsourcing code has bridged the widening gap and explains why third-party code now dominates the world wide web. So much so, that 50-95% of the code running on the more than 10M websites we monitor, belongs to someone other than the digital asset owner or operator. In a typical case, one popular news site displayed an article feed to its users along with six advertisements. Scanning the property revealed much more behind the scenes, including 163 third-parties and 238 active domains. Examples include: • Data management platforms (DMP) • Content recommendation systems • Community features • Social widgets • Programmatic advertising • Analytics • Online chat And many more. These third-parties fingerprint the user, drop cookies, and make calls to other domains without the host organization’s knowledge or consent. Their agenda is not malicious -- they gather data from users to enhance the user experience, to monetize user data with other businesses that want to give users more of what they want to see, or both. There are no risks to this set-up until malicious actors attack the supply chain. Or until new laws like GDPR and the CCPA make companies accountable for their vendors’ or third- parties’ activities. Taking Back Control The supply chain’s vulnerability to a growing number of attacks is bad for a business and its users. While not all third-party code is created with malicious intent, most vendors operate on thin profit margins, meaning security is not a high priority; several heavily trafficked media publishers learned this the hard way when ICEPick‐3PC infected their domains through the TweenMax JavaScript library. Today, user trust in the digital ecosystem is being tested with every major hack and data breach. Businesses that depend heavily on third-party code risk compromising customer relationships and violating emerging data privacy legislation like GDPR and CCPA. It’s no longer enough for organizations to monitor their own code. Going forward, they must be able to identify who their third-parties are and what these third-parties are doing to users in order to avoid making the headlines for the wrong reasons. Keeping a close watch of and working with these third-parties on enforcing digital policies is the best way to protect users and the business. About the Author: Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable Digital Risk Management. Chris has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams. Prior to The Media Trust, Chris created an Internet-based transaction system to research, buy and sell media for TV, radio, cable, and online channels. He started his career managing equity and fixed income electronic trading desks for Salomon Brothers, Citibank and Commerzbank AG.
