Top 10 Mistakes Companies Make in GDPR Preparation


This article appeared in the March 14, 2018 issue of ITBusinessEdge 


With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.

“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”

Continue Reading

Cryptomining: the new lottery for cybercriminals

This article by Chris Olson, CEO at The Media Trust, was originally published on CSO, March 14, 2018



Cryptomining has surpassed even ransomware as the revenue generator of choice according to a Cisco Talos report, which claims crypto-mining botnets can earn hackers up to $500 dollars a day and a dedicated effort could equate to more than $100,000 dollars a year. Representing the perfect balance of stealth and wealth for cybercriminals and some unscrupulous, but legitimate online businesses, cryptomining is quickly becoming a major concern for enterprise IT who frequently don’t know their digital assets have been compromised.

With stringent privacy laws coming online in 2018, it is imperative that organizations know all partners that execute code on the website. This information is critical for not only identifying the rogue source but also communicating expectations and enforcing compliance—key mitigating factors when it comes to regulatory penalties.

Continue Reading

The Battle to Secure the Digital Environment

This article by Chris Olson, CEO at The Media Trust, was published in “CSO Online” on January 12, 2018.


Read article

There’s no escaping it: costs to recover from a cyber incident continue to mount, projected to reach $8 Trillion by 2022 according to Juniper Research. Enterprises can’t keep pace with the increasing sophistication and cadence of internet-attacks, which are orchestrated by leveraging the components involved in everyday website functionality.

Information security is a growing, multibillion dollar business. Yet, the hits keep coming, with numerous high-profile breaches in 2017 generating unwanted front-page news for Equifax, Dun & Bradstreet, U.S. Securities and Exchange Commission (SEC), Deloitte, Whole Foods Market, Hyatt Hotels, Uber, and Anthem, among others. While there are many facets to the security problem, the digital environment proves to be the most elusive. In fact, the past 12 months bore witness to countless man-in-the-middle attacks, vendor compromises and bots to harm to consumers and employees alike, grabbing credit card data, enslaving system resources, and so much more.

Something is wrong. Could it be that security providers don’t have solutions to address today’s malware problems?

Continue reading


Websites: The Code for Cyberattacks

This article by Alex Calic, Chief Revenue Officer at The Media Trust, was first published in “Home Business Journal” on December 26, 2017.


Read article

Hacktivists, cybercriminals, disgruntled employees and even students deface websites as a satisfying pastime. Much like spraying graffiti across a storefront or government building, cyber attackers deliver in-your-face messages to not only your market but also the internet at large. What’s worse is that you might not even know about it until customer complaints begin to roll in. Clearly, these are high stakes for a small or medium-sized business that relies on the internet as a revenue channel and brand ambassador.

Continue reading

MarTech Today: Companies are afraid of everyone’s website but their own


Article appeared in MarTech Today, Nov. 16, 2017

Read article

The Media Trust CEO: Most of what happens on your web site is not controlled by you

And this third-party code, says Chris Olson, results in dozens of cookies for each user, security vulnerabilities and performance hits.


The Honest Truth about The Honest Ads Act

Building transparency with a little upfront disclosure

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

Red, white, and blue vote buttons background

The fake news furor and potential Russian involvement in the U.S. 2016 general election is reaching a fever point with multiple congressional hearings, and, digital advertising is in the crosshairs. Like many challenging discussions about digital advertising, transparency is at the heart of the issue.

Digital compliance for political ads

The proposed Honest Ads Act, a bipartisan effort to govern digital advertising according to the same rules followed by traditional broadcast media regarding political advertising, and is the one tangible fallout from the investigations.

The act calls for all politically-oriented digital ads to be declared at purchase, clearly labeled in the creative, and available for consumer access via a searchable interface. Among other things, the buyer must disclose their contact information, candidate and/or campaign, ad flight duration, number of impressions/views, and targeting criteria. The platform must collect this information and retain it for at least four years. It applies to digital platforms with at least 50 million unique visitors a month for the preceding 12-month period that have political ad buyers who spend at least $500 within a calendar year.

In a nutshell, it requires publishers know their ad buyers, ensure ads comply with (regulatory) policies and provide consumer access to these ads and any associated targeting criteria. Sounds familiar?

Transparency starts with the buyer

As The Media Trust announced a few short months ago, our Digital Vendor Risk Management (DVRM) platform provides real-time visibility and insight into non-compliant activity and threats operating in an enterprise website and mobile app environments. More than a risk management framework, DVRM operationalizes client-specific digital asset policies, continuously evaluates digital partner compliance, and actively facilitates the resolution of violating behavior.

The crux of this solution is the ability to identify and manage an enterprise’s digital ecosystem participants, from ad tech up to the source buyer, and authorize their presence. In addition to privacy regulation and escalating security concerns, the Honest Ads Act is just another reason why enterprises need to know their partners.

DVRM – A simple solution to a complex problem

Applying a political lens to DVRM it’s evident that the platform is already satisfying most of the requirements to enable transparency and accountability. Advertising supply chain partners register via an online portal; ads are uploaded and continuously scanned according to targeting criteria; client-specific policy violations are flagged; and, ads are stored for historical reference.

Self-regulation forces a new digital approach

Major platforms have announced their approaches to address congressional concerns and hopefully stave off the vote, let alone passage, of the Honest Ads Act. However, this self-regulation will need to extend to others meeting the requirement threshold, like ecommerce and media publishers.

Regardless of Honest Ads going to vote, changes are in the air. As an industry that has largely grown via self-regulation, the signals are obvious. It is incumbent upon the industry to embrace these changes, especially with the DVRM platform as an easy way to codify and operationalize your policies.

GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

GDPR Pandora's Box
Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.