Digital Vendor Risk Management – The Next Compliance Frontier

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Law360 in September 2017

Compliance Rules Law Regulation Policy Business Technology concept

In 2013, Target, a popular US-based retailer suffered a massive data breach as a result of a compromised contractor. That incident, and countless others like it, changed the way organizations—and regulators—view data security, third-party business relationships, and risk management.

Unfortunately, heightened awareness of third-party risk and the urgency of identifying third-party activity has not fully extended to the consumer-facing digital assets—websites, mobile applications, social media—that form the backbone of modern business-to-consumer communications. As demonstrated by Equifax’s recent website breach[i], internet-rendered risks need to be taken more seriously. Enterprises that fail to see how their digital assets act as conduits for nefarious actors and for unauthorized data collection and data sharing, could result in dire consequences in the form of regulatory fines, security incidents and brand damage. Besides lost fees, law firms and legal consultants are doing a disservice by not providing a more comprehensive guidance to their clients.

Dynamic digital ecosystem

Internet-related technology has changed dramatically in a short time span. To put things into perspective, 20 years ago websites contained static code, mostly owned and operated by the enterprise. Fast forward to today and the polar opposite: a majority of code that executes on websites (between 50-75%) come from third-party service providers.

Third-party vendors provide the interactive and engaging functionality that people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, third parties are also the source of numerous backend services that optimize the digital business-to-consumer interaction—content delivery network, marketing management platforms, consumer data tracking, data analytics, and more.

Yes, third parties are critical to the business-to-consumer digital experience, but they also present critical challenges to the enterprise. Many enterprises do not closely monitor the scope and nature of the data collection and sharing activities occurring on their digital assets. Because third-party vendors typically operate outside the purview of today’s IT and security infrastructure, enterprises often have minimal insight into or control over the actual website code execution and data collection activities on its digital assets, including activities that directly impact a customer’s browser.

Many of today’s website security solutions and consent management tools are insufficient to monitor this third-party code and data collection activities. As a result, digital assets can easily be compromised without an enterprise’s knowledge and become a conduit for malware propagation, data leakage, and unauthorized tracking and data collection. Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance; and, this reality should be a major boardroom or C-level topic.

Enterprises need digital asset compliance strategies for various domestic and international privacy and security regulations such as COPPA, HIPAA, FERPA and GDPR, among others, as well as industry standards such as PCI DSS and voluntary self-regulatory practices. The ability to demonstrate compliance reduces the risk of penalties, hefty fines and ensuing reputational harm, not to mention black swan events as experienced by Target and Equifax.

Digital risks require a digital management approach

Effectively identifying, defining and mitigating digital asset risk, while challenging, is consistent with the principles of Vendor Risk Management (VRM; sometimes also called “vendor management”). VRM is the widely adopted practice of building an extensive organization-wide plan to identify and decrease the potential business uncertainties and legal liabilities associated with third-party vendors, especially in relation to information technology (IT) products and services. Today’s digital environment requires VRM strategies, but with a twist to adapt to its ever-changing nature and the fact that most digital asset activities are not traditionally associated with privacy, data security, and compliance.

Enter digital or online vendor risk management. This process extends the third-party risk management processes of VRM to the various vendors who are active in an enterprise’s digital ecosystem. Effective application calls for collaboration among security, risk and compliance professionals to ensure continuous monitoring of consumer-facing digital assets—websites, mobile apps and social media—to identify, analyze and govern third-party digital vendor risks.

Mapping the uncertainty and potential threats that third-party activities on digital assets pose is not straightforward. Due to the size, complexity and variability of the opaque enterprise-digital vendor relationship, digital asset management requires a specific policy. First, however, enterprises need to evaluate risks in two critical areas:

  1. Security: An enterprise’s digital assets are directly affected if a third- (or even a fourth- or fifth-) party vendor’s code is compromised to deliver malware to consumers, redirect consumers or create a vulnerability that can be exploited to breach the enterprise network. As the primary vector for the incident, the enterprise is responsible for protecting not only its digital assets and network but also its customers, employees, and third parties who use those digital assets.
  2. Data Regulations: Organizations are also responsible for preventing undisclosed or unauthorized data collection and data sharing activities on their digital assets, even if the conduct results from the activities of a third-, fourth-, or fifth-party digital vendor and the enterprise is not aware of those activities.

For example, if a digital vendor contributing code to an enterprise website collects information about or tracks online activities of children (under 13 years of age in the U.S., or presumptively under 16 years of age in the E.U.) the enterprise may have violated COPPA and/or GDPR.  The enterprise bears a significant portion of liability because the activity took place as a result of a digital vendor authorized to execute code or engage in other activities on their digital asset and they did not monitor those activities or otherwise manage vendor risk.; Failing to explicitly detail, monitor, and enforce authorized digital asset activities and prohibit unauthorized ones could have significant legal, operational, and trust implications for the enterprise.

Evaluating these two critical areas highlights both the types and levels of risk posed by failing to manage third-party digital vendors. Furthermore, the answers point to the need for developing a specialized digital asset policy(ies), which should be shared with digital service partners and providers to make sure that they, too, are aware of their compliance obligations and for the risks associated with non-compliance. This policy should address regulations (national and international), industry best practices and company-specific data policies.

Rein in risk exposure for websites and mobile apps

The digital ecosystem is riddled with security and compliance hazards, and U.S. and international regulators are increasingly aware of the risks posed by third-party digital vendors and the absence of enterprise awareness. Emerging regulatory frameworks, including GDPR, place an increased emphasis on vendor management and thus provide a rare opportunity for legal and compliance consultants to educate their clients about the hidden vulnerabilities in their digital assets and the importance of risk mitigation. Now, more than ever, IT, security, risk and compliance departments must collaborate to effectively govern their digital assets.

At a high level, the process for controlling digital asset risk involves three steps:

  1. Discover and classify: Identify all digital vendors and analyze all digital vendor code executing on websites, mobile apps and social media platforms.
  2. Communicate and comply: Once the digital vendors have been identified, share your digital asset management policy with them, set parameters to measure their compliance with relevant policy directives, and establish contracts delineating authorized activity. Pay particular attention to real-time cookie drops, pixel fires, other data tracking elements that identify users and/or their devices, and data collection and sharing activities.
  3. Monitor, resolve and report: When monitoring discloses an unauthorized digital asset activity, the enterprise should block the code and remediate the unauthorized activity with the offending vendor. Create an audit trail by documenting the entire cycle and vendor ability (and willingness) to abide by stated policies.

If digital or online vendor risk management seems like a lot of work, or an unnecessary extension of existing compliance practices, then security, privacy, risk, legal and compliance professionals should ask themselves: “Would we allow a stranger to enter our office building and carry out unauthorized activities such as taking our customer information, sending our customers to our competitors, or violating our policies and procedures?” No, you wouldn’t. Therefore, it only makes sense to exercise the same caution for your digital assets.

[i] http://www.prnewswire.com/news-releases/equifax-announces-cybersecurity-incident-involving-consumer-information-300515960.html

Getting serious about malvertising with TAG

Authored by Alex Calic, Chief Revenue Officer, The Media Trust

3 steps to anti-malware certification

cmyk TAG Certified Against Malware

Malware is a serious problem in the digital advertising ecosystem. Not only is it a contributing factor to ad blocking adoption, but also a significant driver of ad fraud. The World Federation of Advertisers estimates that the total cost of ad fraud could exceed $50B by 2025. Clearly, something must be done.

Various groups have attempted to address this malware problem with little success, but one group is taking decisive action. The Trustworthy and Accountability Group (TAG)—supported by the IAB—recently launched a malware certification program. As an inaugural certification recipient, The Media Trust is fully behind this initiative—just ask for program details.

The certification program is open to any entity that touches creative as it moves through the digital advertising ecosystem, from buyer to intermediary to seller. Even malware scanners like The Media Trust have the option to participate and commit to industry efforts for creating a healthier advertising supply chain.

Benefits: Reap what you sow

TAG’s “Certified Against Malware” seal is awarded to enterprises that can demonstrate adherence to rigorous anti-malware standards, especially those delineated in TAG’s Best Practices for Scanning Creative for Malware.

The program yields a host of benefits for publishers and their upstream partners. Specifically, participating companies can:

  • Improve their enterprise security posture: Adoption of continuous, 24/7, client-side scanning of digital advertising campaigns detects malware before it propagates to consumer devices.
  • Speed incident response: By allowing The Media Trust to send simultaneous alerts to you and your business partners, you reduce the time needed to resolve the issue across your entire advertising value chain.
  • Satisfy upstream partner requirements: Demonstrate compliance with advertiser and/or buyer directed policies for security.
  • Protect your brand value: Receive a “Certified Against Malware” seal from TAG to signal your enterprise’s efforts to identify and remediate malware in the digital ecosystem, a key element in many value propositions
  • Prove digital asset governance: Discovery and validation of all parties executing in your digital ecosystem supports enterprise-wide governance and risk frameworks.

Requirements: Steps to anti-malware certification

Anti-malware certification program participants promise to adhere to malware scanning best practices, make best efforts to identify and terminate malicious activity, and submit to a TAG-directed audit.

You, too, can join industry efforts by following these steps:

  1. Complete TAG registration: If not already a TAG-registered company, fill out the registration form, signal interest in malware certification (fees may apply), and designate both a TAG Compliance Officer and a primary malware point of contact. Indicate anticipated anti-malware certification path:
  • Self certify: Enterprise submits forms and documentation directly to TAG
  • Independent validation: Accredited audit firm or digital media auditor submits forms and documentation to TAG on the enterprise’s behalf
  1. Evaluate digital advertising ecosystem: To determine a reasonable scanning cadence, companies need to understand existing inventory flowing through the environment and the involvement of all upstream partners. Review existing inventory and assess typical volume by in-house, direct and programmatic; and, also consider the volume percentage by display, mobile, video, header bidding, etc.

Upstream partners should be identified and points of contact for security violations documented. Appraise each partner according to their history of addressing malware incidents, industry reputation and general relationship experience. Especially if a direct contract is not involved, discuss respective malware scanning responsibilities.

  1. Scan inventory: Implement malware scanning according to TAG’s Best Practices for Scanning Malware and document the entire processes. As a Certified Against Malware scanner, The Media Trust provides documentation on the scanning protocol for your environment including resolution procedure for malware incidents (Red Flag event).

NOTE: Watch this quick overview of TAG’s recommended scanning cadence.

Terminate malware: What are you waiting for?

The future of the digital ecosystem rests on everyone’s shoulder—advertiser, agency, ad tech and publisher. Let’s make it a better place. Verify your inventory is malware-free. The Media Trust can show you how—Just ask.

EU Publishers: Clean up your cookies or get burned by GDPR

This article originally appeared in Digiday: https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/ 

The ticking clock on the General Data Protection Regulation (GDPR) website is a stark warning for digital publishers behind on preparations for the EU’s massive expansion of data privacy rules. The GDPR is coming, and soon.

Europe’s privacy laws are tightening even further, potentially limiting the data that publishers can collect and the ways they can collect it. The GDPR is technology neutral: but – once again – it’s the cookie that will be caught in the GDPR’s crosshairs. The GDPR has broadened the scope of personal data to include online identifiers, such as cookies and other identifying code such as pixel fires or device fingerprinting). Cookies gathering user data without a lawful basis (e.g. consent) will fall on the wrong side of GDPR. That puts publishers at risk of potentially groundbreaking fines and penalties. That’s why we’ve prepared this guide to the three types of cookies to watch out for, and how publishers can manage them.

https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/

Continue reading

Malvertising: Is this the beginning of the end?

TAG Malware Scanning Guidelines

Decoding TAG malware scanning guidelines for tactical use 

Note: View webinar at https://www.themediatrust.com/videos.php 

The advertising industry’s crackdown on malvertising has begun. TAG’s recently-released malware scanning guidelines clearly state that every player in the digital advertising ecosystem has a role in deterring, detecting and removing malware.

However, these guidelines need to be translated into action plans. As with many cross-industry initiatives, the TAG guidelines serve several different groups across the digital ecosystem while also introducing security concepts to advertising/marketing professionals. The use of words such as: interdict, cloaking, checksum, and eval(), may baffle many ad ops professionals just like defining “creative” as a payload may baffle security teams.

The good news is that The Media Trust’s existing malware clients are already 100% compliant with the guidelines. Other ad ops teams at agencies, ad tech providers, and publishers, will need to translate the best practices into tactical actions in order to bring their operations into compliance.

What is clear: Scanning is in your future

Every entity that touches or contributes code to the serving of an ad plays a role in malware deterrence – this much is clear. Agencies, ad tech providers and publishers alike are, therefore, expected to proactively and repeatedly review their ads for malware.

Specifically, the guidelines state that:

  1.    Ads and their associated landing pages must be scanned for malware
  2.    Scanning should be performed before an ad is viewed by the end consumer
  3.    If initial scanning detects malware, then the ad must be rescanned until malware-free

Read between the lines: Reap what you sow

The complexities of the digital ecosystem make it almost impossible to explicitly state what each player in the advertising ecosystem should do. Typically, the amount of scanning required is directly proportional to the risk of serving a malware-infected ad or directing to a malware-infected landing page. While there are some directional tips, the guidelines also present a few abstract recommendations:

  • Scanning frequency

Ad formats, demand types, consumer reach and access to an ad as it traverses from advertiser to publisher, affect the frequency of recommended scanning.

For instance, a publisher with a campaign using hosted, static ads, targeting a small number of impressions does not have as robust a scanning requirement as a publisher running campaigns with rich media served programmatically. And, an ad contaminated by malware needs to be scanned more frequently than one that doesn’t set off alarm bells during the initial scan. And, an ad that changes mid-flight—modifying targeting, increasing number of impressions, introducing rich media—requires additional scanning.

  • Proof of scanning

Claiming an ad is scanned is not sufficient. As a best practice, all parties should document proof of scanning and this proof should contain creative id, tag specifications, date of initial and subsequent scans and scanning results. In addition, each party in the advertising value chain should establish a point of contact for reporting malware and communicate it to their upstream and downstream partners. 

  • Know your partner

A critical factor that informs rescanning cadence is the provider’s confidence in their upstream partner(s). Long-standing relationships with reputable, responsive partner(s) infers a reduced likelihood of malicious activity, as opposed to a newly-formed partnership with a one-man shop based in a foreign country. And, the provider should also track and document if their partner adheres to the scanning guidelines, too.

Look ahead: This is just the beginning

The guidelines clearly set the stage for optimizing ad quality and its resulting effect on the user experience, with an emphasis on security. A 100% malware-free advertising experience can’t be guaranteed, but everyone agrees it can be greatly improved. Future steps will undoubtedly address data privacy, ad behavior and more.

While these guidelines provide the impetus to tackle malvertising, it’s a safe bet that industry leaders will push to make them standard a la TAG Certified Against Fraud and Certified Against Piracy programs. And, in order to standardize, a certification and evaluation or audit process will be needed.  

Stay tuned.

Learn more
The Media Trust hosted three informative webinars presenting specific direction to publishers, ad tech providers and agency/buyers. To view, visit https://www.themediatrust.com/videos.php

To mock or not to mock?

Avoiding fraudulent advertising campaign verification is critical for publishers

ad-mockup

That is the question frequently asked by media publishers trying to meet advertiser demands related to digital campaign success. The industry’s intense focus on viewability and transparency issues associated with ad fraud hijacks the limelight from another vital area of interest for advertisers: Are campaigns actually running as contracted?

What the advertiser wants, the advertiser gets

To justify the millions (and millions!) of dollars spent promoting products, advertisers rightfully demand proof that their campaigns execute as promised.

From expected ad rendering on the page to accurate targeting by geography and behavior profiles, advertisers want to know that the right ad has been served in the right way in the right location on the right page to the right demographic. In fact, when considering the average spend of a large-scale national campaign flight, many advertisers will assert they deserve to know their campaign is performing as promised.

Authenticated ad inventory yields benefits

The advertising ecosystem is a dynamic environment processing millions of ads covering billions in spend at any one time. Considering that 5% of display and mobile ads are served incorrectly at launch and countless more break during flight, publishers need to actively monitor and protect their ad-generated revenue channels.[i]

Authenticated ad inventory helps publishers secure ad revenue by avoiding pre-planned delivery overages to compensate for anticipated discrepancies. In addition, it also reduces the frequency of misfiring campaigns, thus minimizing instances of “make good” campaigns.

Ad verification is more than good looks

Reputable publishers recognize the value of their high-quality inventory and demonstrate it by providing proof of ad delivery according to established terms. This is a complicated prospect in an age of large-scale campaigns incorporating ads of varying formats (i.e., HTML5, pre/mid/post-roll video, native, etc.) through multiple platforms (i.e., display, tablet, smartphone, gaming consoles, etc.) across increasingly granular targeting segments.

A Photoshopped “mock-up” or full-page capture of the ad on a screen is a start, but it isn’t enough. Presenting a “mock-up” of how an ad should look could be considered fraudulent as it’s not a true representation of how an ad performs across all formats, devices and geographies. In fact, several industries (Tier 2 automotive, pharmaceutical, etc.) and countries (especially those in Latin America) regulate advertising-based billing processes and require third-party verified screenshots upon invoice presentation.

Beyond the visual of “how” an ad looks on a device, publishers must prove that each ad is delivered as contracted with the advertiser. Continuous monitoring of campaigns at launch and throughout flight will quickly detect errors associated with targeting, creative and device-specific issues that impede optimal campaign execution.

Authentication of possibly hundreds of ad combinations—by size, format, device and geography—is used by publishers to substantiate inventory value and by advertisers to audit and measure campaign ROI.

Consider this

To verify accurate ad placement, execution and targeting, a publisher must consider these five factors:

1.    Legitimacy: Screenshots of ads in a live environment truthfully demonstrate that an ad is delivered to the right target. A “mock-up” or “test page” may display how an ad appears on a site, but in reality it provides a false sense of security for how the ad is actually executing. It also infers that the ad will render the same across all devices, OS, formats and geographies.

2.    Accuracy: Mock-ups can’t prove ad placement as many ad units only occur behind paywalls or require an IP address in order to serve the correct messaging to the individual user.

3.    Automation: Imagine scaling the manual process of verifying ads across the overwhelming number of devices, browsers, user profiles, formats, sizes and geo-locations. Without automation, the task is almost impossible. Leverage technology to streamline the process.

4.    Costs: Carefully consider the total cost of ownership when deciding between an in-house or outsourced process. While in-house resources are easier to control, it is difficult to secure funding and keep the staff engaged. On the flip side, outsourcing requires integration, training, probable coordination with targeting vendors, and continuous oversight which could ultimately be more costly than anticipated—not to mention the complications of managing a remote team, in a case of choosing a non-local entity if a non-native entity is selected.

5.    Quality Assurance: Reliance on mock-up designs to certify campaign execution will not catch errors that occur at launch or throughout the campaign flight.

Ad verification is a complex, yet critical endeavor for publishers looking to highlight inventory value. Don’t mock it.

 

[i] The Media Trust analysis of millions of ad campaigns verified over the course of 10 years.

Ecommerce can be bad for your financial health

Compromised Landing Pages

Compromised landing page allows unauthorized collection of credit card information. 

A holiday weekend will prove more memorial for some visitors to several ecommerce sites. Customers wishing to purchase athletic gear or sign up for a competition risked having their credit card information collected by an unauthorized third party.

Detecting the infection

In the United States, Memorial Day signals the start of summer and the three-day holiday weekend kicks off with numerous large-scale promotions and sales campaigns pitching outdoor-related goods and services. Consequently, the digital advertising ecosystem usually experiences a jump in campaigns to drive traffic to ecommerce sites—a ripe opportunity to leverage.

The Media Trust team detected extraneous JavaScript code executing on the payment landing page for several medium-sized, sports-oriented ecommerce websites.

First detected in the early afternoon of Saturday, May 28, legitimate advertising creative directed users to legitimate ecommerce sites which happened to be compromised. The “angular” domain (angular.club) injected superfluous JavaScript throughout the sites to collect information input by a user, such as race registration or financial details associated with a purchase.

Memorial Day Sales

Diagnosing the financial headache

The angular domain injected UTF-8 encoded script throughout the entire ecommerce site and obfuscated itself by adopting the name of the site into its script, i.e., angular.club/js/site-name.js. Searching on the root domain “angular.club” redirects to “AngularJS.org”, a valid Google JavaScript framework and another attempt at misdirection to hide the true intention.

It’s likely the bad actor penetrated the content management system (CMS) or website theme template in order to ensure the code executed on all pages, especially the payment landing page.

Compromised JavaScript

Example of JavaScript

This code collects a range of financial and personally identifiable information (PII) including billing name, address, email, telephone number, credit card number, expiration date, and CVV.

The information is then sent to another server unassociated with the ecommerce site owner. The host of the angular domain and the web service that collects the credit card information are owned by the same entity, whose host server is in Germany and registered to someone in Florida.

Per The Media Trust team, there is no valid coding reason for this JavaScript to be on the website. The script’s sole purpose is to inject a block of code into the web page to collect credit card information and send it to another server where it can be used for future use—purchase online goods, sold on the dark web, used to buy domains to launch additional attacks, etc.

Assessing the health of the ecommerce site

The ecommerce site operators removed the code from there sites late on Tuesday, May 31. Frankly, the damage was already done.

During a strong promotional period, several small- to medium- sized ecommerce sites did not realize their expected traffic. Due to the malicious nature of the landing page associated with these campaigns, The Media Trust alerted our ad tech clients to block the serving of the ads. In one instance, seven different creative supporting more than 200 ad impressions did not execute. In addition, one of the campaigns promoted an event with an expiration date of Wednesday, June 1.

Prescribing the cure

The Internet can be a scary place, full of bad actors looking to make a quick buck by preying on the good nature of others—consumers and website properties alike. Holiday periods are when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. And, ecommerce is especially vulnerable due to the direct impact to revenue.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Continuous website monitoring will alert you to an anomalous or unexpected behavior of third-party vendors and first-party, website operator code. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.