Nearly every week, news of another security breach hits the headlines, so businesses are rightfully taking the issue seriously, particularly in light of the upcoming holiday season and the high levels of online traffic anticipated at this time. It is no wonder the Wall Street Journal found the number of publicly traded companies that listed security issues as a business risk increased by 73% from 2012 to 2014. Yet with all the time and money spent on digital security, most companies have major blind spots on their websites caused by their technology vendors. From ad servers and networks, to social marketing widgets and video players, much of the activity on a typical web page comes from somewhere outside a business’ own network, creating major gaps in security.
Ghostery’s 2014 Security Study, ”Digital Security Is Serious Business”, reviewed the secure pages (https) on 50 major websites in the US and Europe to better understand where digital marketing vendors could cause security issues. The study looked specifically at non-secure tags from digital marketing vendors that were on these pages. The study revealed that across every industry group studied, 96% of domains have security ‘blind spots’ caused by non-secure digital marketing vendor tags.
Ghostery reviewed websites from retail, financial services, insurance, air travel, and news publishing, and found widespread security blind spots across all industries. Only two sites, Telegraaf in the Netherlands and State Street in the US, were free of non-secure tags on their secure pages. Unfortunately, non-secure tags can have serious business implications and impact ROI in a number of ways – from personal data leakage, decreased Google search rankings and attacks by hackers, to mixed content warnings that increase the consumer’s perception of risk.
Digital marketing technologies can open the door for many types of security issues. The recent Thomson Reuters security breach, for example, was caused by a hacker who entered the site through Taboola, a digital technology placed on the page to recommend content to site visitors. In this case, the hacker changed the Taboola tag code itself, but there are many other issues that can arise as a result of non-secure third party vendors on websites as well.
The first issue that businesses must contend with are when a browser – like Chrome or Firefox – warns users about non-secure or “mixed content”, on the page. Due to the complicated way digital marketing vendors show up on a web page, customers often know about a problem before the website manager does and it can drastically alter their perception of the offending website. EJ Hilbert, head of the Cyber Practice for Kroll EMEA, explains, “Consumers have been trained to instinctively trust a green ‘https’ before the website address. Conversely a red ‘https’ or any pop up that tells a user they are leaving the secure ‘https’ address is not trusted and thus consumers will shy away. The result is consumers will register, often subconsciously, that the original site is insecure and thus poses a threat. It is these subtleties in the user experience that increase or decrease page rankings and thus page views.”
The next problem facing website owners relates to new additions in the way Google ranks search listings, which is a highly relevant issue during the holiday season. Google has started to take non-secure or “mixed content” seriously and is decreasing search rankings for websites with non-secure content on pages that are supposed to be secure. While they have not disclosed to what extent non-secure content hurts rankings, they have said they plan to increase its importance over time.
Finally, and most seriously is security itself. When a retailer places a non-secure code on their website on behalf of a vendor such as an ad server, they create a type of trap door for hackers to stage “man-in-the-middle” attacks where the hacker can take over a page without the customer or company knowing. Attackers can steal data or send a customer to a counterfeit page before anyone is the wiser.
The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found that for large organisations the cost per breach is between £600,000 and £1.15 million. That price will only increase over the holidays, when traffic is at its peak. The good news about such security issues as non-secure tags on secure pages is that with the right tools, it can be easily fixed. Now is the time for websites to audit the technology partners that have access to their website and ensure that any blind spots are taken care of.