A recent Tala Security study highlighted that a startling number of websites are not effectively deploying available standards-based security to safeguard against the growing volume of browser-side attacks. The website supply chain—the integrations that comprise the “under the hood” architecture of a website—is increasingly vulnerable to attacks. Today, it seems that too few companies are taking this threat seriously.
How are websites vulnerable?
Magecart refers to cyberattacks in which hackers write malicious code into third-party sites to steal personally identifiable information (PII) and customer payment data. These attacks have proven so successful that they have infected many large-scale online retailers, such as Ticketmaster, British Airways, Newegg, and Sotheby’s. Digital card skimming has become attractive to hackers as it is relatively simple, scales extremely effectively and has a high chance of reward.
Other malicious attacks besides skimming include XSS (cross-site scripting), formjacking, keylogging, screen scraping, phishing, ad injection, and many other forms of attack.
What are the benefits of web security standards?
Protection of customer data from unauthorized access
In this digital era, our personal information is more vulnerable than ever before. Identity theft and data breaches are a constant threat to our personal finances, our credit scores, and our livelihoods. Companies, presenting a website for commerce or data collection assume the obligation of making sure that the experience is protected and that customer financial data and PII are secured. Website owners’ code architecture is purposely designed to be sent to one or two third party domains, but due to reliance on these third-party integrations, form data is exposed to an average of 15.7 domains. Today, attackers are significantly impacting this important electronic trust relationship.
Stakeholder confidence in your business
Once a company has had a data breach, it is hard to regain the confidence of your stakeholders. In the case of major hacks, such as British Airways 500,000 hacked records in 2018, the company name often becomes synonymous with the breach. In that case, the company faced a $230 million fine, the largest penalty ever under EU data protection laws. Such black eyes are hard to overlook. Brand damage as a result of an attack can cripple a business in the short and long terms. Consider the valuation tumbles incurred by Yahoo, Marriott and Equifax resulting directly from poorly-managed responses to hacks.
Improved company credentials
Today, the competitive web commerce landscape drive organizations to increasingly rely on these integrations to create richness and provide analytics to continuously tune customer experience. Implementing some of the available standards-based security, including CSP, SRI, HSTS, Referrer Policies can effectively and cost-efficiently enable a website to confidently integrate third-party tools.
Faster recovery times in the event of a breach
When proper security standards are in place, a data breach can be managed more easily. Developing an information technology disaster recovery plan now can save a lot of headache later—more than headache, it can literally save your business.