The average retail website now uses between 40-60 third-party technologies to create their online experiences with retailers saying they planned to add an average of 3-5 new third-party technologies to their sites throughout 2019.
However, many businesses don’t realize the security risk these third-party scripts can pose – supply chain cyberattacks are on the rise; where criminals exploit third-party services and software to compromise their target.
What do all these attacks have in common? Malicious injects. Injection attacks occur when a hacker adds or injects their own instructions into an existing authorized application execution process. Commonly, attackers will breach a third-party script to access all of the sites on which it runs, all at once.
According to a 2018 survey by the Ponemon Institute, 59 percent of companies have experienced a data breach caused by one of their vendors or third parties. Despite this, organizations have exponentially increased their dependency on third- and even fourth- and fifth-party technologies, on average sharing confidential and sensitive information with a staggering 583 outside parties.
Nevertheless, many still don’t know how to best manage these relationships to ensure their supply chain is secure. Only 34 percent keep a comprehensive inventory of their third parties, a figure that drops down to 15 percent for ‘Nth’ parties.
Magecart: Masters of the supply chain attack
Image: Trend Micro
The Ponemon Institute recommends these best practices for ensuring that your third-party vendors aren’t leaving the backdoor open to criminals – these include conducting regular audit and assessments to evaluate security and privacy practices of third parties, and tracking all third parties that have access to sensitive data and how many of these parties are sharing this data with others. In addition, it advises involving senior leadership as high-level attention to third-party risk may increase the budget available to address these threats.
- Real-time website monitoring: Monitoring of all network requests coming into the website or out of the website to detect potential malicious threats
- Automated website privacy audit and alerts: Detect risks to your organizations data privacy rules – website scanning will check for unapproved technologies that may have access to your customer data
- Masking of sensitive data: Determine unique data patterns to prevent sensitive data being exposed within the URL and passed to unauthorized third-party technologies
- Whitelisting and blacklisting of third-party technologies: Define permissions for approved third-party vendors you choose to allow to access data – or block from receiving any of specific types of data
- Privacy gateways: Block unknown and unwanted website trackers, technologies and tags from firing on site and collecting sensitive customer data
- Blocking of unauthorized network calls: Block Magecart style attacks, CSS hacks, man in browser attacks to protect end-users and stop data leakage