Only 11% of website decision-makers feel that they have complete insight into the scripts that they use on their websites, according to a recent survey of 307 US organizations done by Osterman Research.
However, industry estimates state that about 70% of the code on a website comes from a third-party library or service. The Osterman Research report highlights a clear need to raise awareness of the potential threats associated with the vulnerabilities inherent in third-party code.
So what are the greatest security threats stemming from third-party code?
Over 70% of decision-makers surveyed believe they have verified that their internally-developed scripts do not pose a security threat. However, when 70% of a typical website is comprised of third-party code, it is difficult to know its origin. As a result, the security procedures taken in the code's development are next to impossible to trace.
The fundamental conclusion to draw from these two data points is that third-party code on websites is a blind spot, and most website owners and decision-makers don't realize they have this vulnerability. This makes a website — or a large number of websites in the case of a third-party script that is widely used — open to attack. This is the case in recent large-scale Magecart attacks, in which cybercriminals skimmed payment information from companies such as Macy's, Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. Other exploits including formjacking and personally identifiable information (PII) harvesting also leverage common, broadly-used third-party code. All website owners should keep these threats in mind.
As threats grow in complexity and proliferate, website decision-makers are understandably under pressure. Almost half of the decision-makers surveyed stated that they were extremely concerned with their website being hacked, followed closely by 42% stating they were concerned with digital skimming attacks.
The survey found that only 29% of decision-makers reported being wary of Magecart attacks. In reality, Magecart attackers have carried out over 2 million attacks as of October 2019, including those on British Airways and Macy's, the former of which resulted in a £183 million ($240 million) GDPR fine. As only 38% of decision-makers are confident that they are secure from Magecart attacks, there is an opportunity to raise awareness of this threat and its potential impact on compliance, and to investigate potential solutions.
GDPR, PCI and California Consumer Privacy Act (CCPA) compliance standards impact the data security practices of companies doing business worldwide, yet only 32% of those surveyed considered a violation of GDPR to be a major issue. Given these worries, it's imperative to rethink your digital business infrastructure and to understand the extent of your potential risk.
Making Business Sense
Corporate complacency is far too common, as many companies wait until after they've been attacked to protect themselves from cybercriminals. More than one third of organizations surveyed have experienced a cyberattack that interrupted business operations. Among those that have been attacked, 91% consider their website safer due to steps they took after the attack to remediate against similar attacks in the future. But why wait? When the stakes are so high, timely and proactive measures make good business sense.
Data breaches are serious. They impact customers whose sensitive data may have been leaked. Victimized companies face fines and damage to their brand reputation and revenue. And the individuals in charge of web security are also at risk if they don't adequately prepare.
In the event of a major data breach 92% of decision-makers believe they would be terminated. This fear of termination is not unfounded, as evidenced by firings and resignations of executives at Target, Home Depot, the United States Office of Personnel Management, Sony and countless others after widely publicized data breaches. Avoiding this fate is not as complicated as it may seem — it simply takes acknowledgement of the threat landscape, visibility into one's web scripts, and adequate protective measures.
Understanding Your Scripts
It is essential to gain visibility into third-party code in order to maintain control of one's website. Only 32% of security teams have the power to shut down suspicious third-party scripts, with the remainder vulnerable to data leakage or loss.
The alarmingly limited power given to security teams and the ubiquity of third-party scripts on e-commerce websites spells significant risk for a broad variety of companies. This risk is augmented by the fact that most decision-makers are unaware of potential solutions to these problems. It's important to educate stakeholders about the threat of third-party scripts and the availability of sophisticated tools available to identify related vulnerabilities and stop attacks.
Over 70% of C-Suite decision makers believe business innovation and staff retention are driven by improved visibility into network and application performance, according to Rethink Possible: Visibility and Network Performance – The Pillars of Business Success, a survey
conducted by Riverbed ...
Modern enterprises rely upon their IT departments to deliver a seamless digital customer experience. Performance and availability are the foundational stepping stones to delivering that customer experience. Along those lines, this month we released a new research study titled the IT Downtime Detection and Mitigation Report that contains recommendations on how to best prevent, detect or mitigate brownouts and outages, given the context of today’s IT transformation trends ...
While Application Performance Management (APM) has become mainstream, with a majority of tech pros using APM tools regularly, there's work to be done to move beyond troubleshooting ...
Over the last few decades, IT departments have decreased budgets in part because of recession. As a result, they have are being asked to do more with less. The increase in work has amplified the need for automation ...
Many variables must align for optimum APM, and security is certainly among them. I offer the following APM predictions for 2020, which revolve around the reality that we will definitely begin to see much deeper integration of WAN technology on the security front. Look for this integration to take shape in the following ways ...