Your website is the primary way your customers interact with your enterprise. You envision and create a website to:
- Enhance customer engagement and conversion of visitors to customers.
- Optimize revenue per customer.
- Create repeat customers.
- Retain customers, i.e., avoid customer attrition and abandonment.
Adding security to the overall business strategy should initiate the following questions to ensure you are making informed decisions for the safety of your brand and your customers.
1. What scripts are running right now on my website?
What services and scripts are you utilizing to optimize your website? Going a step beyond that, what scripts are running on your website?
There are thousands of third-party website scripts marketing teams routinely employ to achieve these goals. They include analytics, trackers, live or virtual customer engagement, social media scripts, and site monetization through advertising – just to name a few. New and innovative website scripts are constantly being released and those enterprises that best leverage them are at an advantage relative to their peers and competitors.
However, your security department limits your usage of these powerful scripts by:
- Limiting how many third party scripts you use on your website.
- Restricting your usage to mature tools and scripts and limiting your usage of newer, more innovative ones.
- Preventing your usage of third-party scripts in your most impactful (but also sensitive) areas of your website.
Although these limitations were once put in place for good reason, they are absolutely constraining your ability to achieve the goal of maximizing business performance through optimization of your website capabilities.
2. Am I being consulted every time a new script is being added to our website?
If you don’t think you need to be consulted, then what are the precautionary steps to ensure there is a protocol in place for checks and balances for your website security? Depending on how small or large your organization is, you may not have a daily digest into the inner happenings of your team.
The security team may be actively monitoring third-party scripts, which is a great first step in client-side website protection. However, a loophole that many people forget is how website owners are addressing fourth- and fifth-party scripts that the approved third-party scripts bring to your website.
3. Are we protecting our customers and their data?
Due to the lack of permissions that govern and limit the access and behavior of third- party website scripts, those third parties and the hackers that seek to compromise them have unrestricted access to nearly every aspect of the webpage including customer data that is displayed on the page or entered by the customer.
This includes usernames, passwords, personally identifiable information, payment information, and other sensitive and regulated data. In fact, beyond this ability to access this information, the unrestricted access granted to these third-party scripts might enable hackers to exploit them to:
- Record all customer keystrokes and data.
- Manipulate webpage form-fields to dupe customers into revealing unnecessary and sensitive information to unauthorized third parties and/or hackers.
- Inject popup boxes that request unnecessary and sensitive information from the customer.
- Hijack the users’ mouse clicks and automatically redirect them to unauthorized external websites where customer information is phished and stolen.
4. What regulations should I be paying attention to? Are they releasing any information on new attack vectors?
Is HIPAA, PCI, GDPR or CCPA something your organization adheres to? The Internet has significantly extended an organization’s security perimeter, since enabling and enriching a website allows attackers to exploit the fact that the attack surface extends across the entire Internet.
GDPR, HIPAA and PCI are only a few of the regulations set up to ensure companies (and individuals) are protecting the customer/consumer.
New attacks have a way of skirting around existing security measures. A simple Google search can give you the answer on new and up-and-coming attack vectors and if organizations are actively preventing them.
5. Could my organization be the next victim?
Are your competitors or similar companies in your field being targeted? Attackers such as the Magecart groups are known for going after eCommerce companies. That being said, similar industries utilize similar tools and scripts within their space. Those similar scripts can then prove easy for a hacker to move from one site to the next checking any crossover to see if there are potential areas of already known vulnerabilities on each website.
Just because it hasn’t happened, doesn’t mean you are immune to it. Setting up precautions is truly the only way to ensure you are protected and can control all of the elements on your website.
In summary, it’s important to ensure you or at least your team holds all the cards. If you aren’t sure where to start, just ask for an analysis on the third-party scripts running on your website and see if there is anything that surprises you in the results.
From: helpnetsecurity.com