customer journey banner
Darren Guarnaccia Posted by Darren Guarnaccia January 08, 2020

Straighten up: How hidden web tags can hurt your cybersecurity posture

You might be surprised that web tags (the short JavaScript programs that run in-browser) are an important factor in determining your company's cybersecurity posture – the relative overall strength of its cybersecurity defenses, particularly as it relates to outside threats. The better your cybersecurity posture, the lower the risk of data breach, data leakage, and data theft.

Lax web tag management might seem very far removed from headlines announcing a catastrophic data loss. After all, web tags are "just" the primary delivery mechanism of the advertising and marketing technologies that power digital engagement – not a large, obvious target such as unsecured cloud storage … right?

Don't slouch on tag management – your cybersecurity depends on it

This thinking illustrates exactly where many companies stumble. Hidden web tags, also known as piggyback tags, are a lesser-known tag type, invisible to marketers unless specifically searched for and identified. Hidden web tags are usually introduced through third-party vendors, not the business partners your company works with directly.

Since you can't control what you can't see, your company is also susceptible to any changes third parties may make to their web tags. These factors – invisibility and vulnerability – together present very significant cyber vulnerability.

This two-blog post series will teach you hidden web tags on your website can expose your company to cyber threats, and how effective tag management is a critical component in improving your company's third-party risk management (TPRM) practices and overall cybersecurity posture.

How web tags introduce cyber risk

Web tags are a byproduct of the adtech (advertising technology) and martech (marketing technology) that marketers have relied on for nearly two decades. Widgets, embeds, and tracking pixels are typically deployed through web tags; these resources, such as a Twitter feed or social media button, use HTML and/or JavaScript to display data on your company's site.

Nearly every time you add a tag to your website, that vendor gets access to your user data. So do their business partners, through hidden piggyback tags. The purpose and behavior of piggyback tags, which are injected indirectly into your site by these third parties through a JavaScript redirect, are almost always unknown and can change daily, based on the tag owner's desires.

Multiplied across a large digital property, you could easily have hundreds, or even thousands, of hidden web tags – each one a potential cybersecurity vulnerability.

Why you need to stand up to the threat of hidden tags

In terms of cyber risk, hidden web tags expose your company to multiple types of unauthorized data access through:

  • Malicious actors or hackers, resulting in data breach
  • Authorized third parties trickling away data, a phenomenon called data leakage
  • Unauthorized third parties that can commit data theft

Why your CEO cares about piggyback tags

Granted, your company's CEO may well not know what a piggyback tag is. But he or she certainly cares about the downstream risk these cybersecurity loopholes carry. Executives are very concerned with avoiding data breaches and privacy infractions, the repercussions of which typically include:

  • Remediation costs: A 2019 IBM/Ponemon Institute study calculated the cost of a data breach at $242 per stolen record and more than $8 million for an average breach in the US. The same study estimated that a typical company has a 29.6% chance of experiencing a data breach in the next 24 months, a dramatic increase in the odds from just a few years ago.
  • Fines from non-compliance with consumer privacy regulations: Recent and emerging privacy regulations like the European Union's General Data Protection Rule (GDPR) and the California Consumer Protection Act (CCPA) are fundamentally changing the way personal data is collected, sold and used online.
  • Companies that don't comply with these and other privacy regulations can be fined significant amounts. For example, in the US, the Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users' personal information.
  • Reputational, customer, and revenue losses: Overall, the hidden costs of data breaches – such as lost business, negative impact on reputation, and employee time spent on recovery – are difficult and expensive to manage. However, the 2018 IBM/Ponemon Institute found that a third of the cost of "mega breaches" (over 1 million lost records) was derived from lost business.

As you can see, controlling which web tags are on your site can directly help avert multiple business crises.

Continuous tag management improves cyber posture

Comprehensive web tag management can systematically improve your company's cyber posture. By proactively monitoring your digital properties' web tags (both visible and hidden), you and your marketing team significantly help your company to reduce the risk of a data breach, data leakage, and data theft – and thus, its cybersecurity posture.

Continuous web tag management comprises four steps:

  1. Scan your site to identify all visible and hidden web tags using manual, automated, and real-time options.
  2. Identify the vendors the tags belong to
  3. Research the vendors to see what these companies do, and what types of visitor information they collect
  4. Eliminate unwanted tags with just a few clicks

Because many tags on your site are likely to be invisible, you will need a couple of purpose-built tools to help you find and eliminate unwanted piggyback tags.

  • Tag mapping tools pinpoint the hidden web tags on your website, running a deep scan to reveal the full scope of your tag ecosystem
  • Tag investigation and removal tools provide an extensive vendor directory containing detailed information about each supplier, the type of data they're collecting and what they're doing with it. Unwanted third-party tags can be easily removed.

Tools for a winning tag management operation

Crownpeak's Trackermap® and TagControl solutions allow digital marketers to identify:

  • All of the JavaScript tags on a site, including hidden piggyback tags
  • What kind of resources the tags are calling
  • Which data the tags collect
  • The impact of each tag on site performance

These tools enable Crownpeak customers to routinely experience site performance gains of 20-25%, with load times on specific pages dropping by up to 70%.

  • Trackermap conducts a deep scan of your entire website providing visibility into the tags that are causing latency, are unauthorized, and/or may pose compliance or security risks.
  • TagControl provides real-time monitoring of vendor's tags and provides the necessary controls to disable them. By producing a list of the vendors taking excessive time to collect and share information, TagControl lets you pinpoint which web tags have a negative impact on your site and take action by preventing the tag from collecting user data. Digital marketers can make informed decisions about which vendors to allow on their site by matching the tag to Crownpeak's vendor library, consisting of 6,000+ companies

Together, tools like Trackermap (part of TagControl) empower your entire marketing team to securely use digital properties to build trust and profitable relationships. In my next blog post, I will talk more about the four cyber risks that proactive tag management helps reduce, and about TPRM.