Internet 101: Securing ecommerce and the digital enterprise

Most enterprises today are digital publishers. From banks to hotels and large companies, few enterprises are without some level of ecommerce.

Chris Olson, CEO at The Trust Media, said, “Whether the enterprise is brick and mortar or ecommerce, they are earning a significant amount of revenue via the Internet.”

Within the ecosystem, 78 percent of all code that renders is not first-party owned. The issue for enterprise security, said Olson, is that most IT governance frameworks pay little to no attention to code that is running on the user side to do all of their analytics.

Millions of very normal transactions occur on a daily basis where customers click to book hotel rooms, order clothing, have groceries delivered or simply browse a company website. “For a hotel company, 50% of the revenue is booked via its website,” Olson said.

When a consumer hits the browser on a desktop, “Approximately 20% of the code is maintained by the website. The other 80% is code from third parties used for tracking or web analytics to create that unique digital experience,” Olson said.

That third party code is most often where the enterprise is vulnerable to malware, malware delivery, and data leakage. Olson said, “It is very rare that an enterprise’s own code is hacked.  It’s almost always a third party running on the website that is hacked instead.”

The security risk for companies is that the large enterprises are concerned about every website but their own. “They are very concerned about employees going to other websites because they know that is where malware lives, so they go to great lengths to limit where employees can go on the web but rarely think about their own site as a potential attack vector for themselves or for the users,” Olson said.

Few enterprises are monitoring the code that is not their own. “Third parties check code once, but once it’s put into the content management system (CMS), it’s then rendering on the client side and that company that provides that code is no longer looking at it. If that company is attacked, there is no control because it resides in the CMS,” Olson said. The predominance of malware delivery on the web comes from the third party, mostly unmonitored code.

When you look at any individual website, it’s made up of all of these third parties that need to be monitored to prevent malware or have a direct connection with the third party to enable turning the bad things off, Olson explained. When a third party is hit, though, that means every site that it is on is also hit. “If they are on 500 websites, that means 500 sites are being hit. Many don’t know that something is happening. Architecture is hacked all the time without even realizing,” Olson said.

If they were always monitoring and able to get alerts, then they could detect these attacks. “Every enterprise needs to be monitoring their website, but they don’t. They check the source code that is their own, but they are ignoring the 80% via third party,” Olson said.

The first step, said Olson, is to actually know what companies are rendering on the consumer, like how many cookies are dropped, the purpose of the cookies, what are they used for, and whether they are against their privacy policy. 

Enterprises for the most part don’t do this checking at all. According to Olson, “They don’t scan anything so the third parties are free to do whatever they want. That’s how companies learn all about user behavior. This is how the Internet works. Enterprises don’t actually control what third parties are doing.”

In order to mitigate these security risks, Olson recommends the following:

• Know and connect. Once you know third parties, have a connection with them. The third parties that are there need to be monitoring their code in the wild as well.
• Put someone in charge. At any given large enterprise, everyone is involved with website but no one is in charge of it. They all have their hands in the digital presence, but no one is actually tasked with this. It’s like the Wild West.
• Governance. Create a process where you are always monitoring that. Actively engage in understanding and knowing what those companies do, what they want, why they are there. If you don’t want them there, prevent them from being there.

Olson said, “Once companies are actively governing and enforcing, a lot of the mess is cleaned up.”