Cybersecurity posture: Web tag control and third-party risk management

In “Straighten up: How hidden web tags can hurt your cybersecurity posture,” I talked about how hidden web hidden tags get onto your website, and how proper tag management is an important component of an effective third-party risk management (TPRM) practice. In this blog post, I’ll explain the four categories of cyber risk – data breach, data leakage/data loss, loss of consumer trust – and how tag management protects your company from cyber risk.

The impact of poor cybersecurity posture 

Successful cyber attacks on cloud storage providers and enterprises produce attention-getting headlines. The reality is, an estimated 90% of data breaches are caused by everyday human error, including poor tag management practices. Some of the largest, most toxic data breaches have been perpetrated through third-party connections – just like the third-party web tags currently hidden on your site.

The credit reporting company Equifax provides an alarming example. In an October 2017 breach that received little news coverage, malicious code was injected through the use of JavaScript – the result of defunct adtech technology, still present on one of Equifax’s websites, getting hijacked.

The Wall Street Journal called the security incident “a digital whodunit,” as visitors to the Equifax website encountered malicious software because the site was attempting to use a discontinued web product. In fact, the third-party analytics product’s expiring domain had been hijacked by a cybercriminal. 

Visitors to the website annualcreditreport.com, a joint venture between Equifax and TransUnion, another credit reporting agency, were served up fraudulent online surveys, adware, and software designed to steal online banking credentials.

Vulnerability profiles: Data leakage and data theft

Data breaches are a well-understood fixture in the cybersecurity landscape; individual hackers or groups, or other malicious actors (such as nation-state hack perpetrated by North Korea on Sony Pictures in 2014) gain access to data and steal it, often in enormous quantities. Hidden web tags make your company vulnerable to two additional types of data loss:

• Data leakage occurs when authorized third parties – owners of identified and approved piggyback tags – trickle away additional, unauthorized data. This can happen either intentionally or accidentally; the nature of hidden tags is such that your company (the website owner) is never apprised of changes made to the tags. Data leakage can’t be controlled and is undetectable unless the hidden web tags are proactively found.

For example, data leakage is becoming a huge problem for publishers as advertising dollars shift to programmatic digital advertising. Without effective web tag management, advertisers can take information about users from ad exchanges without ever paying publishers for the data.

• Data theft happens when unauthorized third parties – the owners of unknown and unapproved piggyback tags – siphon off data. The distinction between data breach and data theft is that breaches are the result of external brute force, whereas data theft is perpetrated by owners of unauthorized, surreptitious hidden web tags placed onto your site. Data theft can’t be controlled and is undetectable unless the perpetrating hidden tags are proactively found.
  
  

Removing unwanted tags lowers cyber risk

Because tag mapping and tag management tools let you identify and investigate third-party tags, you can discover if unauthorized web tags are lurking on your site – tags that can dramatically increase breach risk. By removing these piggybacked tags, you can significantly improve your company’s cybersecurity posture and, in turn, lower associated risk. 

Working with third parties is nothing new; your company has collaborated with vendors, suppliers, outsourcers and the like since inception. Two things have changed, though: 

1. the frequency and scale of third-party use 
2. regulatory focus on how organizations are managing third parties to address inherent risks, including cybersecurity
   
   

Tag management is a key component of TPRM 

According to Kristian Park, partner and leader of the Contract Risk and Compliance practice of Deloitte LLP in the United Kingdom, third-party risk management is a growing discipline that: 

“…typically includes a framework and defined process for assessing third-party risk... There would be strong governance in place to define next steps once a risk is identified, including guidance not only for remediating it but also deciding if it should be accepted and how to properly manage it if it is. There would be clear ownership of third-party risk, and people in the organization with a risk management background. We see organizations who have taken many of these steps, but what typically holds them back from fully implementing them enterprise-wide are technology limitations.”

Tag management is third-party risk management

Clearly, TPRM is a large, comprehensive initiative that is not the responsibility of marketing, IT, purchasing, or any one department. However, marketing operations organizations can take definitive steps toward managing third-party risk by using real-time, automated tag management tools across their company’s enterprise-wide web presence. 

By finding and eliminating unwanted piggyback tags, the marketing function can significantly reduce your company’s exposure to third-party cybersecurity risk.

Stand tall to build consumer trust

Effective tag management, and the good cybersecurity hygiene it creates, align with the fact that trust in brands is more important than ever. According to the 2019 Edelman Trust Barometer Special Report, a global study, 81% of survey respondents said that they “must be able to trust the brand to do what is right.”

Doing what’s right includes placing a premium on customer privacy. Through careful data governance and protection, brands can increase customer loyalty, spend, and lifetime value – all of which reduce the risks of customer attrition and revenue loss. 

Earn and keep your customers’ trust

The most forward-thinking companies are now thinking about their Privacy User Experience (Privacy UX), “taking best practices from the field of user experience and human-centered design and applying them to data collection and privacy interactions.” This encompasses diligent web tag management, including the discovery and elimination of unwanted piggyback tags.

When a company demonstrates that it’s a careful, effective steward of personal data, while delivering a top-notch user experience, consumer trust increases. When a brand demonstrates that it’s doing what's right, more people opt into an ongoing relationship.

It’s critical to protect your business from unnecessary cyber risk. Use Trackermap to scan your entire web presence and take the first step toward improving your company’s TPRM program and ultimately, its cybersecurity posture.