Ensighten hosted more than 400 customers, prospects and strategic partners from across North America and Europe in its eight-city Agility World Tour 2016, ending just last week at a venue overlooking the Thames River near the British Parliament Building in central London.

Rather than host a single user conference in one location this year, Ensighten instead opted to do what customers asked: host more meetings in smaller, more intimate settings closer to them.

The answer was the Agility World Tour, which focused on best practices, thought leadership, customer success stories, product vision, and fun and valuable networking. The tour was headlined by marketing technology visionary Scott Brinker, and featured some of the world’s biggest brands talking about the smarter management of technology and data: Citi, Dell, Fidelity Investments, The Home Depot, SunTrust Bank and many more.

Here are some of the highlights and headliners from the tour, which began in Los Angeles last March. (see photos)

• Los Angeles, March 15 – Brinker, of chiefmartec.com fame, kicked off the first event in Los Angeles at the historic Carondelet House. His topic: Hacking Marketing: The Amazing Convergence of Marketing & Software. Marketing and software engineering, he argued, have a great deal in common. Agile software development offers insights to marketers who must learn to be agile and “fail fast” in the interests of optimizing marketing performance. Ensighten’s CEO, Josh Manion, spoke to the related topic, Convergence: Unlocking The Power of Data for Modern Marketing. Also among speakers was Troy Steen, senior manager of digital analytics and ecommerce at Dell, who focused on a topic of keen interest to marketers: using first-party data collection to drive in-the-moment experiences.
  

• Austin, April 12 – It was on to Austin for the next stop with marketing executives invited to this forum at the city’s premier event and live music venue downtown. Mayur Gupta, formerly head of digital at Healthgrades and now with Spotify, was the keynote speaker, argued for a connected marketing technology ecosystem in the healthcare industry to remedy fragmentation in organization, data and experience planning. Jim Parker, director of digital tools at Dell, gave an insightful presentation on increasingly stringent privacy laws and his company’s implementation of a global privacy solution, asking the question, “Do you have a privacy game plan.”

• Atlanta, May 17 – AGILITY moved on to Atlanta in May to host a program featuring Brinker, The Home Depot, SunTrust Bank, Yahoo! and others. Ensighten’s product lead James Niehaus spoke about Accelerating the Value of DMPs with Tag Management Systems. Marketers may find it difficult to differentiate the strategy and benefits of data management platforms (DMPs) from tag management. In fact, the tag management system is key to enhancing the DMP’s audiences-building function by contributing first-party data, along with other sources of online and offline data, to improve performance in targeting digital ads. John Holland at The Home Depot gave a presentation on how to operationalize tag management at a global enterprise.

• Boston, April 24 – In Boston, Ensighten hosted a morning breakfast session featuring a return engagement from Brinker, who talked more about his book, Hacking Marketing, which was given away free to everyone who attended the AGILITY tour. Fidelity Investment’s Grant Deppe talked about the future of tag management agility and what he calls the “full stack marketer.” Brian Hedrick, senior manager of search and native strategy at Yahoo!, shared compelling insights into data points on media consumption, including behavioral patterns of Millennials and Gen-Xers, who are digital multi-taskers. Given these behaviors, he advised brands to calibrate and target advertising based on device multi-tasking, specifically, mobile app behavior.

• Paris, June 8 – AGILITY headed overseas for its next event, this time in Paris at historic Pershing Hall. Ian Woolley, GM for Ensighten EMEA, led off the event by exploring the Ensighten vision for enterprise tag management and the emergence of the customer data platform (CDP) as core to future marketing capabilities. Hervé Le Jouan, CEO of Privowny and an advisor to the European Digital Forum, offered a look at personalization in the multi-device environment in an “always-on” world of opportunities and risks. And Romain Stievenard, of France Médias Monde, reported on how tag management has become an integral part of its international digital strategy.

• New York, Sept. 13 – The AGILITY World Tour took a break for the summer before opening to its biggest audience yet at Apella in the Alexandria Center. Customer speakers included Citi, Fidelity Investment and Tronc (formerly Tribune Publishing). Joseph Gordon, head of digital analytics for Tronc, addressed the question of: How Omni-channel Customer Intelligence is Transforming the Modern Media Company. Tronc uses Ensighten’s customer data platform as a backbone to collect data and gain a unified view of the customer across browsers and devices. Also speaking were experts from Ovative about how they helped a million-dollar retailer implement Ensighten Pulse to power enterprise measurement across all channels. In response to customer feedback, the team added two morning best practice sessions: one on building a modern customer data layer, and another on using Ensighten for personalization. These were a huge success.

• Chicago, Oct. 11 – The tour moved to Chicago in mid-October for a day of presentations, panels and best practice training sessions in the Windy City. TD Bank and Stratigent kicked off the event with a compelling message about marketing and mobile apps, showing why apps are no longer a black box of digital measurement. Speakers from CDW asked — and answered — the question: how can a digital experience replicate 1:1 dialogue? The key, of course, lies in the ability to collect, stitch, own and activate customer data. Speakers from The Weather Company, an IBM company, talked about how weather effects consumer decisions and the ways that marketers can begin to activate weather-related insights across media channels.

• London, Oct. 20 – For its final event, AGILITY headed “across the pond” to London for a full day with U.K. and other EMEA-based customers and partners. Dave Chaffey, CEO and co-founder of Smart Insights, keynoted the gathering with a focus on digital strategies and innovations in real-time, omni-channel marketing, including the emergence of the customer data platform (CDP). Also speaking were France Médias Monde, RBBi, 55, ObservePoint and IBM. Simon Lye, channel sales for the IBM Marketing Cloud, talked about the power of IBM Commerce with an marketing automated marketing platform, journey design and customer experience analytics.

Customers reported the AGILITY World Tour was a great mix of thought leadership, digital marketing best practices, networking, and real insight into how to make today’s marketing more effective. Join us next year for AGILITY – dates and locations to be announced soon.

Thank you to all of our speakers, as well as to our many industry sponsors, including AT Internet, IBM, Monetate, ObservePoint, OpinionLab, Oracle/Maxymiser and Yahoo!

The post Ensighten Wraps Up Multi-City AGILITY Tour Focused on Customer Data Best Practices appeared first on Ensighten.

It’s axiomatic that you can’t manage what you can’t measure. Yet measurement is a big obstacle in mobile marketing. Mobile apps now account for 89 percent of mobile media time, while mobile advertising is forecast to reach 72 percent of all U.S. digital ad spending by 2019, according to eMarketer. Yet 57 percent of business professionals say they use no analytics whatsoever to measure mobile app performance, even as these apps become front and center in marketing to consumers, according to Forrester.

That dichotomy was the focus of a recent webinar with a timely message − Cracking the Black Box of Digital Measurement: Mobile Apps. Ensighten and Stratigent, a global consultant on multichannel digital analytics, co-hosted the webinar, which also featured Marie-Pierre Dery, Manager of Measurement Solutions and Data Governance for TD Bank, an Ensighten customer.

David Johnson, VP at Stratigent, a consulting partner to TD Bank using Ensighten technology, opened the webinar, sketching out the rapid shift to mobile with U.S. spending on mobile advertising up 89 percent in the first half of 2016 to $15.5 billion, according to the Interactive Advertising Bureau. “This is one of the biggest seismic shifts ever in the ad market,” he argued. Nevertheless, mobile apps “are under tracked today compared to desktop and mobile web, due to tech limitations and difficulty and lack of resources.”

TD Bank, however, has overcome these limitations by establishing a framework that delivers flexibility, agility and control in optimizing and personalizing the bank’s mobile apps for its banking customers, Dery said. Ensighten Mobile enabled TD Bank to crack the black box of mobile app measurement. Here’s the story from these three experts.

Mobile App Analytics

Let’s start with the problem. What makes mobile app analytics so difficult? Peter Fernando, VP of Strategy at Ensighten, put it this way. Mobile apps must be tagged, tracked and measured as part of the holistic customer journey across all channels and devices. Yet the conventional ways mobile apps are created, measured and optimized make this cumbersome and time-consuming. Here’s why.

Developers hard-code mobile apps when they build them. Making changes to an app after it’s been launched requires the marketing team to go back to a developer for re-coding. The app is then submitted to the app store for approval, even for something as small as a change in a button color. This conventional process can take weeks or months for simple changes, clearly not supportive of “in-the-moment” marketing. Not surprisingly, Adobe last year found that “only 23 percent of digital marketers planned to optimize their mobile experience with A/B testing, multivariate testing or segmentation” in its digital marketing survey results. “There are too many development cycles required to deploy and adjust app analytics in a timely manner, as well as swap in and out content,” Fernando said.

Ensighten Mobile shortcuts the process by creating a mobile library that enables marketers to make in-app changes on the fly without having to rely on ongoing IT resources, and, in the process, helps to improve time to market and revenue.

TD Bank – Using Mobile Apps to Optimize the Banking Experience

Dery told attendees an analytics layer is foundational to the “success of advanced features like personalization, content swapping and optimization, and retargeting and remarketing.  You need to understand your user’s behaviors and interactions before you can act upon them.” Enterprise tag management, including Ensighten Mobile, is “our foundational framework allowing the bank to support future innovations, capabilities and reporting across digital and mobile.”

Dery offered a snapshot of the bank’s evolving mobile strategy in the last two years as the number and complexity of mobile projects increased drastically from what had been just one or two code releases a year. Analytics programs could be derailed with the slow IT release cycles. And the team knew it needed a more agile approach, turning to Ensighten and Stratigent for answers.

“Everything we do is geared toward customers,” Dery said in describing development of the TD Bank’s mobile app program. TD Bank’s core mobile apps include TD4ME, a “digital concierge” feature that curates content and services to create personalized, contextual experiences for customers based on their location and interests. And a companion app, TD MySpend, enables customers to track their spending by category and compare it to their monthly average.

“We found that customers wanted more features, and they wanted them faster,” she said.  The bank, as a result, adopted a hybrid mobile strategy, which made it possible to tag features quickly for testing or optimization, but use a data layer for longer-term stability as new features were added. That framework includes:

• Data Layer. This allowed the bank to develop a measurement strategy for new features released in multiple phases throughout the year. The data layer made the mobile strategy more stable and scalable.
• A method/class for legacy, non-dynamic or core screens. The classic method implementation is used for the core screens that don’t change often, and when they do a process of screen scraping is done to retrieve interactions.
• The flexibility to add tags outside of a code release and turn things around quickly. With the Ensighten Mobile Library, the bank can make rapid adjustments outside a developer cycle, such as tagging a button, or optimizing a feature based on customer interaction.

“We want to create superior experiences, and gathering the data to be able to do that, and to be able to do real-time personalization,” said Dery. “When you introduce new ideas, you want to get insight as fast as possible to support the next stages of app design or content.”

The post TD Bank Cracks the ‘Black Box’ of Digital Measurement with Ensighten Mobile appeared first on Ensighten.

It’s become increasingly clear that data, not applications, is the new hub of digital marketing. This may help explain why a new category of solution, the customer data platform (CDP), is getting so much attention recently, being the subject of a new analyst report, as well as the topic of new research findings by a vendor association.

Last week, Gartner Research released Innovation Insight for Understanding Customer Data Platforms to help marketers understand the challenges and opportunities associated with the new category of solution, including specific recommendations. The report, which lists Ensighten as one of 16 CDP vendors, is the first major analyst report on the topic. It follows Gartner’s initial recognition of the category as an “innovation trigger” in its Hype Cycle for Digital Marketing and Advertising 2016, released in July. Meanwhile, Ensighten continues to see strong interest from large brands in its CDP, which includes enterprise tag management, mobile tag management, omni-channel data collection, profile creation and activation, and privacy enforcement.

“The CDP is garnering interest from marketing leaders, thanks to a compelling promise – providing a holistic view of the customer to help execute and optimize personalized journeys,” Gartner Analyst Christi Eubanks wrote in the new CDP report, available through Gartner.com.

The CDP Defined

According to Gartner, “a customer data platform is an integrated customer database managed by marketers that unifies a company’s customer data from online and offline channels to enable modeling and drive customer experience.”

The platform represents far more than just the latest point product, but rather has the potential to serve as a lynchpin of the entire marketing technology stack, unifying rich sources of first-party data into unique profiles, then making them actionable across many of the programs so important to marketers.

“For marketers using multiple point execution tools, the CDP provides the connective tissue between and among them to integrate the marketing stack and enable orchestration across the web, mobile, email, social and so forth,” the report states.

Data unification and cross-device identity resolution are among the most important CDP criteria.

“The CDP’s purpose is to unify customer data from disparate sources, linking identity, behavior, purchase and demographics together in a single record — including both dynamic, contextual data and persistent and trusted identity data,” Eubanks states.

There are also challenges facing the CDP, including lack of awareness among marketers, and confusion with other solutions with overlapping capabilities. When looking for a CDP, Gartner recommends doing a customer data audit, prioritizing use cases, and evaluating the identity and profile management capabilities of current tool.

What else should a CDP offer? Check out Ensighten’s blog post on the topic, 10 Things a CDP Should do For You.

New Survey from the CDP Institute

Meanwhile, the Customer Data Platform (CDP) Institute, a new vendor-based association founded by technologist David Raab, has just issued results of a survey exploring CDP best practices (note: Ensighten is a founding sponsor of the new association).

The survey, entitled Best Practices in Building a Unified Customer Database, was undertaken in October and November of this year to find out about the “current state of the customer database, including reasons companies want one, obstacles that get in their way, and best practices to ensure a successful project.” Among survey findings were:

• Seventy percent of respondents rated a single customer view as “very important” or “extremely important,” but just 14 percent have a shared customer database in place.
• Top use cases for a single customer view were personalization (70%), customer insights (65%) and measurement across channels (51 percent).
• Budget was cited as the top obstacle for obtaining a single customer view (41%), data extraction from source (39%) and organizational roadblocks (31%).

For more information about Ensighten’s leading CDP capabilities, request a personalized demo.

The post Customer Data Platform Gains Steam with New Analyst Report, Research Findings appeared first on Ensighten.

In a nod to the increasingly critical role that customer data platforms play in modern marketing operations, Ensighten was recognized as a “vendor to watch” for the second consecutive year in Gartner Research’s new Digital Marketing Hubs Magic Quadrant, 2017 (subscription).

Ensighten was one of a dozen companies named a vendor to watch, including well-known players such as Google, Axciom and Experian Marketing Services. These innovators were recognized outside of the main quadrant, which ranked many of the traditional marketing clouds such as Adobe, Oracle and Salesforce.com, for possessing many, but not all, of the capabilities required by digital marketing hubs. They are seen by Gartner as key players to watch as the market, still unsettled, continues to evolve.

According to Gartner, “a digital marketing hub (DMH) provides marketers and applications with standardized access to audience data, content, workflow triggers and operational analytics to automate execution and optimization of multichannel campaigns, conversations, experiences and data collection across online and offline channels.”

For the first time, the annual report recognized the growth of data platforms as a key part of the DMH market, including ad-focused DMP solutions and tag management-based Customer Data Platform (CDP) solutions (like Ensighten), for their ability to unify disparate data and technologies.

“Based on experience working with enterprise clients through its TMS offering, Ensighten seeks to enable marketer flexibility and choice by centralizing and managing customer data and syndicating to best-of-breed third-party systems for execution and orchestration,” Gartner states in the new report.

Ensighten was also one of 16 CDP vendors listed in Gartner’s recent report on the CDP market, the first by a major industry analyst firm, entitled Innovation Insight for Understanding Customer Data Platforms, 2016.

According to the CDP Institute, a vendor-based association for which Ensighten is a founding sponsor, the market for customer data platforms is growing at a clip of 50 percent a year, and is expected to surpass $1B in value by 2019.

Ensighten’s CDP is differentiated by many capabilities, including:

• The ability to collect customer data as first-party to the brand, including both onsite and offsite sources such as digital advertising, mobile apps, email, online video and Internet of Things (IoT) devices.
• Patented mobile app capabilities that enable brands to adjust both analytic data points and content on the fly without requiring additional software development or app store approval cycles
• Comprehensive data privacy and security capabilities, including the ability to identify and stop unauthorized vendor tags from loading, even if they are outside of the tag management system

These capabilities are overlaid on the company’s leading enterprise tag management solution, Ensighten Manage, and additional capabilities for customer profile creation and activation. This combination represents the most powerful way for global brands to easily drive first-visit and real-time personalization, get a holistic customer view across channels and devices, improve ad effectiveness and attribution capabilities, optimize mobile app customer engagement, prevent data leakage and more.

For more information about CDPs, download our new guide, The 15-Minute Guide to Customer Data Platforms to learn: the difference between DMPs and CDPs, the three different types of CDPs, core benefits, and much more. For a personalized demo of Ensighten solutions, contact us today.

The post Ensighten Named ‘Vendor to Watch’ for 2nd Year in Digital Marketing Hubs Report appeared first on Ensighten.

Tag Basics

Tags are the technical mechanism for collecting data from a digital property, typically requiring that a small snippet of code be placed on the website/app . Tags serve a variety of purposes such as collecting data from web browsers, setting cookies, extending audiences between multiple websites, incorporating 3^rd party technologies into a website, etc. Data that is collected from these tags power marketing campaigns, personalization, advertising, web analytics systems and a host of other important marketing responsibilities.

This data can either be passed to a server owned and managed by the current website owner or to another company entirely. Tags themselves can them be categorized in two ways: first-party tags which collect data on the same domain, and third-party tags which collect data on a third-party domain, giving them insights into your internet browsing behavior across multiple web properties. For example, when visiting XYZ.com a tag passing information to “data.XYZ.com” would be considered first-party while a tag from “data.ABC.com” would be third-party because the top level domain, “ABC.com”, is different.

What is Tag Piggybacking?

The most basic definition of tag piggy-backing, also referred to as daisy-chaining or chaining, is when one tag invokes another tag. Piggybacking can add dozens or hundreds of additional tags and introduce services that the digital property owner may not be aware of. This is often encountered when a container-like tag (ex: DoubleClick Floodlight) is placed on a site for marketing purposes, and then overloaded with tag calls for additional vendors.  In the following example, we can see an AppNexus tag piggybacking off a standard DoubleClick Floodlight tag:

In the following extreme example, we can see piggybacking resulting in multiple tag-to-tag instantiations:

Without constant monitoring/auditing, this type of multi-level tag handoff is extremely difficult to manage. Ensighten completed a recent industry audit of almost 1500 digital properties and on average there were 49 piggybacked tags, with the worst offender having 144! When a tag is invoked via piggybacking, you don’t have visibility or control over what information it receives, but you may be legally responsible for it.

Risks, Limitations and Issues Related to Piggybacking

There are several items to be aware of when dealing with piggybacked tags:

• Data leakage – Your valuable customer data (including PII) can be passed to a piggybacked tag without your knowledge or consent. If the data in question is available in-session, it can typically be captured via tags.
• Poor website performance and data loss due to tag loading issues – Every tag that loads has an impact on your site performance. Slow loading tags at the top of your page can block the page from loading, decrease time to interactivity or impact data collection.
• Malicious code installation – Malicious code can be installed on your site or on your customer’s device via tag piggybacking, granting access to any personal information users give you.
• Inability to comply with privacy regulations – When a piggybacked tag fires, you don’t have visibility over what information it receives, which immediately puts you out of compliance with global privacy regulations like the EU’s GDPR.
• Breaks in security/SSL – A tag that violates your website security will throw a glaring warning to your end-users and potentially break checkout flows and impact revenue.

Next Steps: Protect Your Brand

For the best approach to protecting your brand, we recommend using a real time blocking tool that allows the brand to protect against unauthorized data collection across all tags (even tags deployed outside of a TMS). One of the best options on the market for complete protection is our own Ensighten Privacy. It includes complete control, insight and risk assessment into your tags and what we consider to be key areas:

• How many unique tags are on your website?
• How many of those tags are loaded via tag piggybacking?
• How many of those tags are sharing your customer’s data and violating brand privacy and security policies?
• Blocking of all tags with one line of code
• Monitoring real user interaction to catalogue data collection points
• Notification when even a single user sees a new data collection point

If you’d like to learn more about tag piggybacking, how Ensighten can help protect your brand, or how Ensighten can make your global digital properties compliant with the EU GDPR, contact us today.

The post Protect Your Brand from Tag Piggybacking Risks appeared first on Ensighten.

At Ensighten, we’re constantly shaping our team and proposition to better meet the needs of brands in an ever-evolving industry. We’ve worked hard over the years (this year being no different) to deliver a unique service that tackles and simplifies the challenges of digital marketing, privacy and data protection.

We’ve built our position as the global leader in data privacy and omni channel data management – and that’s down to the people in our company constantly pushing the boundaries and creating technology that solves some of the biggest problems that marketers are facing in digital marketing.

I’m proud to be leading our team, as CEO, with the support of Ian Woolley, who is now Chief Revenue Officer and Tim Benhart, Chief Operating Officer in this period of Ensighten’s life and at a such a crucial time in the industry.

As we come to the end of 2017, we look back on the successes from being one of a dozen companies Gartner named as ‘vendor to watch’ along with players such as Experian Marketing Services and Google, to rolling out our solution that enables brands to comply with the GDPR and other data privacy regulations. We’re excited for all that 2018 brings and to continue our work with all our partners.

For a personalized demo of Ensighten solutions and how we can help you, contact us today.

The post Ensighten changes senior team to lead the charge in 2018 appeared first on Ensighten.

As the gatekeepers to the majority of customer data, the marketer’s role in preparing for GDPR (the European Union’s General Data Protection Regulation) is critical to full compliance. 

Ensighten conducted research to establish the state of play in the UK when it comes to GDPR, considering it is around the corner, enforceable from 25^th May 2018. We uncovered some alarming insights, including that 72% of marketers do not expect their websites to be compliant by May 25^th. The research ultimately shows that, despite the risks and consequences of non-compliance, many marketers still do not fully understand the implications of GDPR for their role or the business’ in general.

We hope you find the infographic insightful and helpful in getting your website ready for enhancing consumer trust and complying with GDPR.

The post Infographic: The Marketer’s role in GDPR appeared first on Ensighten.

As the gatekeepers to the majority of customer data, the marketer’s role in preparing for GDPR (the European Union’s General Data Protection Regulation) is critical to full compliance.

Ensighten conducted research to establish the state of play in the UK when it comes to GDPR, which is enforceable from 25th May. We uncovered some alarming insights, including that 45% of UK businesses have put money aside to cover possible fines for not being GDPR compliant, and 61% of respondents would apply for an extension on the deadline if they had the choice.

The research ultimately shows that, despite the risks and consequences of non-compliance, many businesses still do not fully understand the implications of GDPR.

We hope you find the infographic insightful and helpful in getting your website ready to enhance consumer trust by complying with GDPR.

The post Infographic: Are You GDPR Ready for May 25th and BEYOND? appeared first on Ensighten.

Updated 22nd October 2018

In the same way, that Google created Google Analytics as a free web analytics solution, they have launched Google Tag Manager.

On November 14, 2005, Google announced Google Analytics – a revolutionary product that changed the web analytics software landscape. It was free, delivered as a service, was integrated with Google AdWords, had a solid (if basic) feature set and did I mention it was free?

Despite predictions to the contrary, GA didn’t take over the enterprise web analytics space – sophisticated websites still needed the advanced features and scalability of Omniture SiteCatalyst, CoreMetrics and WebTrends. The GA feature set has improved immensely over the years and today GA is the leading web analytics application with 55.8% of websites worldwide using it. Check out this infographic for more impressive stats on GA usage.

Google’s market entry raised awareness of the category and taught an entire generation of digital marketers about web analytics best practices and the incredible optimization and user insight benefits web analytics can generate.

This trend has also been seen in the tag management space, with the introduction of Google Tag Manager.

What Is Google Tag Manager?

Following from the launch of Google Analytics, Google announced Google Tag Manager as a revolutionary product that would change the tag management software landscape. It is free, delivered as a service, supports Google AdWords, Floodlight, GA and simple 3^rd party tracking tags (pixels). And it’s free.

Google Tag Manager Limitations

• Tag Support: GTM is based on a simple container tag architecture, limiting its capability to support critical enterprise tags like MVT, non-GA web analytics, customer experience, consumer survey, online chat, etc.
• No SLA for GTM: While GA also has no SLA – if GA goes down, your website loses some website visitor data. But if GTM goes down, it takes ALL the Google and 3^rd party tags down with it, putting an enterprises’ critical digital tools at serious risk if they are managed via GTM.
• Data ownership: Tag management systems have the ability to collect lots of data about your online business and your website visitors. With GTM, it’s unclear, read those terms and conditions carefully.
• Site performance: A simple container tag based TMS can’t provide the same level of improvement of site performance improvement that a sophisticated TMS like Ensighten can. For example, Ensighten reduced Subaru’s homepage loadtime by 2.72 seconds. That type of performance gain is enabled by Ensighten’s custom built global Tag Delivery Network, advanced infrastructure custom-built for accelerated real-time tag delivery.  Google has impressive world-class infrastructure – but it isn’t built for real-time tag delivery.

Ensighten vs Google Tag Manager Features

Although there are limiting facets of GTM for the enterprise customers, GTM will significantly impact the already hot tag management space.

Below is a summary of the key differences:

• Bypassing Ad Blockers: With Ensighten’s ‘First Party TDN’ customers have the ability to bypass adblockers. Since GTM does not office First Party capabilities, customers may lose up to 30% of their traffic.

• Web and Mobile Tagging Templates: Ensighten offers 1k+ tagging templates allowing seamless web and mobile migrations. GTM offers less than 75 tagging templates.

• Support & Infrastructure: Ensighten offers 24/7 technical support, a dedicated CSM, and a University full of knowledge base articles. GTM only offers a community page, which includes public forums and knowledge base articles.

• Server-Side Tagging: Ensighten offers Server Side Tagging capabilities which lead to decreasing page load speeds and tagging limitations. Whereas, GTM is a code-injector, they simply do not have the functionality to accomplish SST.

• Enterprise Spaces: Ensighten offers an unlimited amount of spaces, creating a seamless cross-departmental working experience. GTM only offers three spaces, creating a bottleneck for multiple departments.

• Enterprise Permissioning: Ensighten offers levels of robust user permissioning, whereas, GTM only offers roles of admin and user.

• Page Load Speed: Although GTM has competitive page load speeds, pages utilizing Ensighten outperform GTM pages 3/4 times. Regardless of region, ENS maintains an optimal end-user experience over GTM.

For a detailed comparison of Ensighten and Google Tag Manager, click here.

What Is The Impact of Google Tag Manager?

First, it has disrupted the business models of tag management vendors serving the low end of the market with simple, container tag-based pixel deployment offerings at low price points. Why pay $50 or $250 a month to deploy a few conversion pixels when GTM can do it for you for free?

Second, Google’s market entry has validated tag management as a critical component of digital marketing infrastructure, drawing new interest from analysts, investors and other observers.

Third, while GTM is unlikely to get the same phenomenal market adoption as GA, it has increased awareness of tag management and exponentially grown the base of marketers who understand its value and leverage the incredible benefits of tag management.  Google has created a large tag management user community with great educational resources around GTM, training a new generation of tag management experts.

Overall these factors have accelerated the demand for enterprise tag management solutions, just as GA boosted the growth rate of the enterprise web analytics market.

As the leader in enterprise tag management, that’s great news for Ensighten. With new additions to our management team, a recent large round of funding and continued stellar sales results – we’re ready for accelerated growth of the tag management space.

Welcome Google GTM…seriously. It’s good to have you join the tag management market.

The post Google Tag Manager vs Ensighten Comparison appeared first on Ensighten.

This year it was discovered that hacking collective Magecart were behind the data breaches of at least 800 e-commerce sites around the world, exploiting failures in client-side website security.

As the high-profile hacks of 2017-2018 have shown, the stakes for companies suffering data loss are extremely high: Gemalto recently found that 70% of customers said they would leave a business following a data breach. This is a threat from which even the largest organisations can be at risk. In a recent study RiskIQ identified 100 ‘top-tier victims’ of Magecart, which they said included ‘mainly online shops of some of the largest brands in the world’.

Despite these huge risks, a study we carried out in September 2018 found that 46% of enterprises believe they have a probable or greater risk of a website data breach. Even more shocking was the discovery through our research that 13% of organisations surveyed only review the security of their customer data once every six months

The devastating impact for a business suffering from a security breach may seem obvious, however a data breach often includes several unforeseen damages on top of large fines.

Firstly, customer loyalty can be damaged when a business experiences a security breach. Data from the Ponemon Institute found that 31% of people actually terminated their relationship with an organisation following a data breach.

Secondly, a data breach will often force an organisation to divert a substantial amount of time and resource into dealing with the fallout. All areas of the business will be involved in the aftermath of a data breach, potentially forcing other projects to be placed on hold while the problem is rectified.

Why are these attacks becoming more common?

Part of the reason is the wide adoption of JavaScript; by 2016 it was estimated that 92% of all websites were using JavaScript. JavaScript is used to deploy third-party services onto a website. This helps improve the customer experience, offer the brand insights into how users are interacting with them via their digital channels, and enable enhanced performance measuring and personalised experiences. However, these benefits have led to many sites relying heavily on third-party JavaScript, giving a new avenue of attack to hackers.

Hackers have taken to targeting third-party technologies because they are given a high level of trust, having access to the client side of the website, thereby allowing access to everything that happens in the browser, including customer data. This ‘all access’ attribute has enabled hackers to manipulate the JavaScript code being served by a third-party or directly through the business’ web servers to inject malicious code.

Hacking into third-party supply chains has allowed hackers to break into thousands of websites instantly, making their methods far more effective, and dangerous. A case in point; Feedify, a customer engagement service which requires clients to add their JavaScript to their site in order to function, was hacked earlier this year.

The injected malicious code has been found to steal customers’ personal and financial data as it is entered into the site, and even redirect customers to a malicious domain to conduct fraudulent transactions.

These exploits that lead to payment detail and data theft have been referred to as formjacking, payment card skimming, as well as digital credit card skimming. These are not the only types of data breaches that can occur from an insertion of malicious code into a website, but perhaps are among the most impactful as the site owners can be completely unaware their customers’ data is being stolen.

What can you do to prevent these types of attacks?

In order to protect your site against formjacking and compromises of your website supply chain, you need to consider the following questions:

·      Do you know which third-party vendors are operating on your website? How do you guarantee this?

·      Can you ensure that third-party technologies on your site can’t capture sensitive information? How do you go about this?

·      Can you ensure that the end script is the one which is permitted? How can you double check this is still the case?

·      Can you control what content is being loaded into the third-party requests? If an unvalidated script was accessing card payment details on your site, would you be able to immediately stop it?

If there is any doubt about the answers to any of these questions, extra precautions must be taken.

What you can do to secure your website:

·      Scan and Monitor your website to see which third-party JavaScript is operating on the site, where its being loaded from and what pages these scripts are on.

·      Whitelist and enforce which third-parties and which scripts are allowed to operate on your website.

·      Use Website Data Leak Prevention, so that if a trusted third-party script is compromised you can prevent any alterations to your site and stop any leaks before they take place.

If you want to understand how Ensighten helps with the mitigation of formjacking, and how we can help you mitigate against potential risks within your website supply chain then please get in touch to request a demo.

The post Website Data Breaches – Protecting against JavaScript attacks following 2018, the year of Magecart appeared first on Ensighten.

With your business at its most vulnerable this busy holiday shopping period, how can you avoid a costly data breach?

The United States has long been familiar with Black Friday, the busiest retail day of the year and the unofficial start to the holiday shopping season. However, Black Friday – and the subsequent Cyber Monday – has now grown into a global phenomenon with millions of dollars spent in-store and online worldwide.

As well as expanding geographically, the promotional run-up to Black Friday is now starting earlier among retailers and running up until Christmas. Indeed, during this year’s holiday shopping period, the National Retail Federation (NRF) forecasts that consumers will spend $1,007.24 each – up 4.1 percent on last year. The five-day period between Thanksgiving and Cyber Monday alone will drive $23.4 billion worth of online sales, says the report by Adobe Analytics.

But behind the headlines of consumers flocking to grab a bargain and businesses celebrating a huge payday, is that the massive spike in traffic volume and transactions during this period can cause a host of problems for companies.

What are the website risks around Black Friday?

The most prevalent concern is a company’s website will crash – even those of high-profile brands – under the weight of Black Friday traffic. Companies can take certain measurers to try to ensure this doesn’t happen – for example, by performing preliminary site audits for potential bottlenecks, setting up monitoring systems, scaling heavy parts of their site, applying vertical scaling and speeding up content delivery process.

But while it’s vitally important to maintain site availability, it isn’t the only challenge retailers face during this extended holiday shopping season; businesses are at their most vulnerable as cybercriminals take advantage of the exponentially busy period to target systems and steal data.

The last few years have seen a huge increase in cyberattacks – 2017 was labelled the “worst year ever” for data breaches and cyber incidents around the world. We witnessed high-profile data breaches and ransomware attacks such as the WannaCry virus disable the systems of hundreds of targets worldwide, including public utilities and large corporations.

How can Black Friday be exploited by hackers?

Businesses are already stretched to capacity during the demanding holiday period. Criminals will exploit this knowledge to target those firms, usually because of the confidential customer data and PII they collect and hold – whether it’s bank details, email addresses or other personal information, meaning website security around this period is of the upmost importance.

“The sheer volumes of traffic and sales generated by promotional events like Black Friday and Cyber Monday can make them a target for hackers and fraudsters, who are looking to take advantage of vulnerabilities that may put ecommerce and online payment systems when operating under particularly heavy loads,” says publisher of Retail Technology magazine, Miya Knights.

One of the major problems is that a data breach can often lie undetected for shockingly long periods – the average time from compromise to discovery was 101 days in 2017. The Pentagon recently suffered a data breach when hackers gained access to the personal information and credit card numbers of its personnel. Officials admitted that it’s possible the intrusion went undetected for months.

Cyber Attacks – The Fallout

For businesses, a cyberattack or data breach of any kind can be disastrous, both financially, and reputationally.

It has therefore never been more important that businesses secure their website  and mobile apps to protect the data which is being input through these channels during this busy period. Enterprise businesses typically have solutions in place such as load balancing, DDoS protection and web application firewalls, however, it is equally important for focus to be on the client side risks to customer data.

It is therefore crucial that brands have real-time marketing security (MarSec) in place on their website to protect against malicious attacks and data loss. This ensures that criminals can’t target form fills, chat boxes and ‘piggyback’ unauthorized tags across a website, potentially gaining access to all the customer data traditionally collected and used for campaigns and other marketing projects.

Despite this however, our research shows that 67 percent of enterprises have implemented no marketing security for their website, despite their concerns of a data breach.

In this era of heightened focus on data privacy and stringent regulation, businesses can’t afford to be so cavalier with their data protection.

How can you secure your website?

·       Think about your marketing security solution as a necessary part of your organization’s cybersecurity strategy. You need the ability to block unwanted website trackers and third-party technologies from firing and to ensure compliance with your visitor’s preferences and global data privacy laws..

·       To ensure you don’t suffer performance issues, in the lead up to Black Friday, dedicate time to performance testing and undertake real time site reporting to see what third-party technologies are firing on your site, and which pages they are loading on. Whitelisting of these tags ensures that only specified third-party technologies can access this data and will ensure that your customers’ data does not become exposed.

·       Take charge of third-party technologies to regulate load times and stop unwanted customer data leakage to ad networks by enforcing which vendors can operate on your site.

·       Use server-side tagging to enjoy faster page load speeds, and to reduce security risks. A trend is for organisations to opt for server side tagging as a way of improving security in particular across secure pages. The benefit here is that the removal of JS code reduces web page load time and provides risk mitigation against data leakage or malicious attacks.

·       Don’t leave your preparations until the last minute! Ensure you have plenty of time to correct any performance issues you many find on the website.

With Black Friday fast-approaching, maintaining both the performance and security of your website will help ensure a profitable holiday season for your business, get in touch to find out more about MarSec for your website.

The post Don’t fall victim to cybercrime this Black Friday appeared first on Ensighten.

In today’s online marketing landscape, huge quantities of data are passed between customers and businesses, even before a transaction has taken place, sometimes leading to the security of data being ignored.

However, modern consumers are acutely aware of their personal data, and when things go wrong it can lead to catastrophic brand damage. Front-end web security must be taken seriously by businesses – but where exactly in the business does the responsibility lie?

What is front-end web security?

Front-end security is required to protect your website from malicious attacks against your site or users without the need to access your server, hosting provider or database. It only attacks the front end of your site, potentially stealing customer’s data as they input it or redirecting them to malicious content.

While this might not seem as immediate a threat as a large data hack, it can lead to large numbers of users having their data stolen. Front-end security should be a top priority for all site managers, especially as the popularity of their site or app grows.

Common front-end site security problems and why they are so damaging

One of the most common problems in front-end website security is formjacking or clickjacking.

This is the tricking of a visitor into clicking on something different to what they think they’re clicking on, enabling hackers to steal the personal data they submit. Formjacking is made possible by a script or embedded code on the page that runs without the user’s knowledge.

Malvertising (malicious advertising) is a term that refers to embedding malware within online ads, such as those served up by online advertising networks. These can run on reputable websites undetected, unless businesses take appropriate precautions.

Business owners constantly face these threats and many others. They can lead to the loss of customers’ personal information and financial data, which of course has long-reaching impacts on the financial, legal and brand-reputation aspects of the business.

If a customer’s trust in a brand is broken, it is incredibly hard to repair. The financial impact of brand damage can’t be understated for companies that are found to poorly control their site security. As we’ve previously mentioned, studies have shown that 31% of people actually terminated their relationship with an organization following a data breach. And according to KPMG, almost a fifth of online shoppers would avoid a retailer that’s been the victim of a cybersecurity hack. That is a significant number for any business.

Who’s responsible for front-end site security?

A study by The Ponemon Institute found that both IT and marketing managers think that customer security lies within the other’s responsibility.

The study is quoted in Information Age:

“According to the study … 43% of IT practitioners recognize that a cybersecurity incident could impact the company’s brand value yet 71% don’t see brand protection as their responsibility. Unsurprisingly approximately two-thirds (65%) of senior marketers believe the IT department should take responsibility.”

It could be argued that IT have the technical know-how to oversee the business’s web infrastructure. From the backend to the front, it’s their job to understand the whole picture of how a customer interacts with their systems, and should therefore have oversight of the security of that relationship.

Then again, shouldn’t the marketing department have the responsibility of safeguarding users of the site they produce? Marketers are the owners, designers, and operators of the public-facing website used to interact with the customer. If they own the brand, they are the ones who are damaged when it is harmed.

Even though their budgets and resources are dedicated to the acquisition and retention of customers, the security of those customers must not be disregarded, as long-term, healthy customer relationships are crucial for ongoing business.

Decisions must be made

We’re in an age where marketing and IT are so intertwined it’s surprising the two could be considered so isolated. It seems clear, putting those two arguments together, that the answer doesn’t lie on either end of the spectrum. IT security is marketing security, and the two combined contribute to the overall success of the business’s future. There has been a recent surge of CMOs moving into CIO roles, proving that senior marketers need to have a solid grasp on the security of their site, and understand exactly what processes need to be put in place in order to protect it. This is clearly a task that can no longer be left solely for IT teams to solve.

The important thing to bear in mind here is that while all parties are responsible for website security, decisions do need to be made, and decisions need to be made by leaders. Senior executives need to carefully consider the threats and act decisively to reinforce the security of their sites, protect their customers, and protect their brand.

Organizations must also practice internal transparency, so that the marketing teams are aware of what IT is doing to improve website security and vice versa, to ensure risks can be mitigated quickly.

Ensighten sits directly at the intersection between marketing and security. Request a demo today to see how our privacy tool allows websites to oversee data privacy and manage various marketing technologies safely and securely.

The post Who is responsible for customer data protection and website front-end security? appeared first on Ensighten.

Last month, Gartner Research introduced a new industry category into its latest “hype cycle” for digital marketing: the customer data platform (CDP), coined in 2013.

“A customer data platform (CDP) is an integrated customer database managed by marketers that unifies a company’s customer data from marketing, sales and service channels to enable customer modeling and drive customer experience,” according to Gartner’s Hype Cycle for Digital Marketing and Advertising, 2016, which was released on July 15.

According to Gartner, “the customer data platform addresses an acute need for modern marketers, who, tasked with revenue accountability and customer experience, are ever in search of that elusive complete view of the customer, beyond the acquisition stage…A bridge between the traditional marketing database or post-sales CRM system and multichannel campaign management execution engines, the customer data platform arose from the need for a solution that could be controlled and deployed by marketers to unify customer identity in a privacy-compliant way, manage first-party data and connect execution across multiple point solutions.”

Ensighten is a prime example of a customer data platform, which is anchored by its industry leading enterprise tag management system (TMS), with additional products for omni-channel data collection, mobile app deployments, privacy and security, and profile creation and management. Ensighten is currently serving many of the world’s largest brands through this platform, including six of the Top 10 most valuable brands, according to Forbes.

Here is our take on what a Customer Data Pl should do for you:

1. Be the single source of truth for fueling your revenue streams – A CDP should be a force multiplier in enabling and optimizing existing marketing and advertising efforts around personalization, recommendations, attribution, targeting, re-targeting, media-mix modeling, advertising efficiencies, customer service and many other business functions.
2. Provide a holistic view of your customer journey – Customers begin their journey across multiple touch points, digital and traditional. A CDP should contain a data layer that is anchored by intelligence that is first party to a brand.  Brand specific first-party intelligence should be collected from onsite, offsite and offline journeys and used to create actionable customer profiles and segments to enhance the customer journey.
3. Ability to collect and own every digital and non-digital activity of your customer – Your CDP should be driven by first-party data intelligence and have the ability to stitch customer interactions across devices (e.g. a phone or wearable), platforms (e.g. desktop and mobile) and channels (e.g. paid, owned and earned). You should own your data and not have to rent it back in order to drive your business. An external DMP or DSP will not provide data that is first party to a brand.
4. Fuel real-time decision making – The customer journey is constantly evolving and customers make split second decisions. Your CDP should provide near real-time data collection and dissemination of that intelligence to fuel your next marketing campaign, optimize your conversion funnel, re-appropriate ad buys, feed into your call center work flow, and fuel many other decisions and capabilities.
5. Enable turnkey integration capability with other marketing and advertising technologies – A CDP should enable your business to ‘speak’ with your customers regardless of where that customer might be in the customer journey lifecycle at any moment in time. The ability to integrate with technologies such as advertising solutions, email providers, mobile platforms, video delivery engines and other marketing solutions is critical.  First-party data collection capabilities enable standards for such integrations.
6. Deliver enterprise privacy solutions, including identifying and preventing data leakage – A customer’s journey produces a lot of information that is collected digitally and non-digitally, housed in a CDP. Valuable data about your customer can leak from your web property through a variety of ways. A CDP should be armed with enterprise-level privacy capabilities to monitor and curtail dissemination of customer data, and enable product teams to automate opt-in and opt-out choices for customers.
7. Be vendor agnostic – Owning your data using a first-party data collection engine enables you to control your destiny. A CDP should be designed to be vendor agnostic especially since the marketplace introduces new products and services that are in sync with the ever-changing customer journey. Data standards created by using a first-party data collection engine and housed in the data layer enables a CDP to be vendor agnostic.
8. Offer detailed enterprise workflow, providing access and permissions based on role – A CDP is your single source of truth and intelligence within the CDP will be sought after by various functions with an organization. A data layer that ingests omni-channel, multi-platform and IoT data requires a robust, visual, user friendly work flow tool that should be used by a technical marketer. Organizational access and permissions should be managed through the same tool.
9. Enable raw and/or aggregated data visualization and extraction – For a robust CDP to be leveraged regularly to influence business decisions, both in marketing and across the organization, it should contain either its own visualization capability and/or the ability to plug into any third-party visualization tool. Extraction and ingestion capabilities through APIs, SFTPs and user interfaces are ways to enable internal customers to use information to influence business decisions.
10. Scale and flexibility of data space to fluctuate with your business – The ability for a CDP to grow with the customer journey is critical. The growth in Internet of Things (IoT) devices alone promises a tsunami of new interaction data. One of the most efficient and effective ways to scale is to host your data in the cloud. Cloud services enable your business to focus on driving revenue and ROI while allowing other experts to manage storage services, extraction and ingestion processes (ETLs).

The recognition and market acceleration of the CDP represents not a replacement, but an important expansion of the role of a tag management system. A TMS is a necessary foundation of the modern day CDP because of its ability to collect, manage, act and own first-party data from a variety of sources.  In addition, deep integration with a larger marketing eco-system are key components of enabling personalized, real time and revenue-influencing customer journeys.

The post Customer Data Platform (CDP) – Top 10 Things It Should Do For You appeared first on Ensighten.

In 2018, data privacy has continued to become increasingly important and isn’t something that can be ignored.

Data privacy concerns the ability of an organization or individual to control what data, including customer data, can be shared with third parties.

In the privacy world, the monetary risks go beyond dampened conversion rates. The EU are able to fine corporations up to 4 percent of their revenue for breaches of privacy.

That means, in financial terms, if a brand earns $1 billion in revenue, that’s a $40 million penalty per violation. With possible separate penalties for each country, which could multiple the fine 19 times over for each country in the EU.

Having a strong data privacy approach is a necessity.

The Evolution of Data Privacy

The issue began to gain steam in 2011 when the European Economic Community (EEC) adopted the E-Privacy Directive (Directive 2009/136/EC), Article 5(3). This directive recommended that EU countries protect site visitor privacy as they browse websites in three key areas:

• Disclosure of data tracking to site visitors, and how the site owner intends to use the data.
• Consent of the visitor to allow the data tracking to occur.
• Enforcement processes to ensure visitor consent to data tracking.

Following on the EEC’s lead, 43 countries around the globe including most of the countries in Europe, enacted legislation based on the E-Privacy Directive.

Since then, GDPR has come into force. The General Data Protection Regulation (GDPR), which was approved by the EU Parliament on April 14, 2016, went into effect on May 25, 2018.

Marketers and IT organizations at large multi-national companies now need to ensure that they comply with international privacy regulations, as well as satisfy local laws.

They need to understand and implement programs that address disclosure, consent, and enforcement, and be aware of solutions that enable them to scale across different countries.

Businesses Are Using People’s Data

As digital marketing has become more sophisticated and intrusive, the importance of data privacy has grown. Today’s digital marketer has access to a variety of tracking/marketing technologies to track the digital visitor’s footprint for the purposes of personalization, re-targeting, ad networks etc.

While these marketing technologies are becoming more sophisticated by the day to counter the challenges meted out by cross-device and cross-channel marketing, the method of tracking and collecting visitor information remains the same – the ubiquitous tracking cookie delivered to web pages or browsers through tags.

Change In Consumer Awareness Driving A Change In Data Privacy

As marketers have developed their online tactics, consumer awareness has grown. Consumers are generally more aware of marketing data collection and the resulting retargets now as the popularity of display ads and email follow their recent online behaviors.

Who hasn’t experienced searching for a product and then seeing display banners relating to that product for the next several days or weeks? These tactics have made consumers more aware of what is being collected and who is watching them online.

As customers become even more addressable across channels and devices, they will become increasingly ripe for targeting. Many marketers want to take a pro-active approach to data privacy. They want to avoid potential legislation responding to consumer complaints about aggressive remarketing practices.

Privacy Is An Opportunity To Reinforce Data Quality

A strong privacy solution also brings benefits to conversion rates and marketing performance.

If we think about when consumers are most likely to lie about their data or use a junk e-mail address, it’s when they think the proposed value exchange is not worth the potential spam. Conversely, correct details are given to the companies that are genuinely interesting.

In this instance, privacy is about respecting the consumer and by extension getting more accurate data – creating a win-win situation for all parties. If we understand and respect the value exchanges that surround a consumer’s willingness to share data, then we are naturally confronted with a choice between more data or better data. As far as I know, marketers are no longer measured by the number of visits to a brand’s digital properties, so the latter should always win out.

Role of Vendor Management & Data Inventory In Improving Privacy

In order to meet the legal requirements and improve data quality, strong vendor management and data inventory are crucial. The International Association of Privacy Professionals (IAPP) released a survey conducted alongside Bloomberg law called, “Assessing and Mitigating Privacy Risks”. It revealed that privacy professionals are looking for vendor management and data inventory to meet the growing need for data privacy.

So what does this mean? It means knowing which data points are being collected, in line with what purpose and consent mechanisms, and through which tools the data is passing. For companies that see their growth being based on increased data use, this is crucial.

Enterprise Tag Management

For enterprise businesses, they need to adapt to the change in digital marketing tactics and growing consumer awareness. An enterprise privacy solution needs to integrate with enterprise tag management. You need to know what data is being collected and what tools it is passing through.

Some vendors require a company to remove all tags from web pages and then enable or disable them in a separate tool as part of implementing a privacy solution.

Ensighten makes it possible to leave tags in place or transfer them out, whatever works best in different scenarios.

Meeting DNT, UK Cookie Law & ePrivacy Regulations

Selecting the right enterprise tag management solution is crucial to your business’s success. In all increasingly global world, digital marketers need a complete solution that provides built-in support for DNT, UK Cookie Law in addition to all ePrivacy regulations, with continuous monitoring and alerting of new tags, unusual tag behavior, and non-compliance.

Our solution provides a fully customizable dialogue box for visitor consent along with complete visibility into data collection by all 3rd, 4th, and even 5th party tags.

Article 5(3) of the ePrivacy Directive, Directive 2008/58/EC, is the directive’s provision that requires a website to gain consent from visitors to track them.

For example, the UK has their version of the ePrivacy Directive called the UK Cookie Law. Similarly, the Do Not Track (DNT) feature is an opt-out feature for web-tracking that a visitor can make use of.

If a visitor opts out of web-tracking, a website should respect the visitor’s privacy by not leaving any tracking cookies on the visitor’s browser. While DNT is stringent in some countries (notably France), it’s enacted mostly through self-regulation in the US.

But there’s a catch – most websites use 3rd party technologies that skirts around the website’s privacy policy, thus ignoring the US and international privacy compliance laws (like the UK Cookie Law in Europe and DNT feature in the US) and eventually tracking the site visitor.

The important question is how to have complete visibility and control of all tags that collect visitor data and simultaneously ensure full compliance with US and international privacy laws?

US vs EMEA Data Privacy

I’ve spent the last couple of years trying to grasp the divide between the U.S. and Europe. There are a multitude of differences, starting with the structure of the law: common law vs. continental or civil law, and Right to Privacy legislation in Europe, which doesn’t exist in U.S. legislation.

The U.S. has also spent quite some time talking up the idea that privacy is about having something to hide. Independent of whether we have something to hide or not, privacy legislation in the U.S. is often state level (each U.S. state has their own definition of PII or personally identifiable information), with no unifying legislation at the federal level. U.S. based companies were using the Safe Harbor Act to collect and store European visitor data in the U.S.

In addition, Europe is faced with 28 countries trying to align under the General Data Protection Regulation (GDPR) alongside developing a one-stop-shop framework that would ideally work for all non-European companies addressing EU citizens.

What Is The Safe Harbor Act?

The Safe Harbor Act was developed in 2002 to allow U.S. based companies to collect and store European visitor data in U.S.-based servers.

The EU courts ruled on Oct. 6, 2015, that the Safe Harbor Act was invalid, requiring U.S. companies to develop new policies and procedures for collecting and storing EU visitor data.

The European Parliament announced strict new fines for companies that don’t adequately inform users what information is being collected about them, and what they plan to do with it.

Why Is The Safe Harbor Act Now Invalid?

The European Court of Justice (ECJ), rather unsurprisingly, invalidated the international transfer mechanism known as Safe Harbor, which is used by a multitude of companies to justify storage of personal data related to EU citizens on U.S. facilities.

Its origins are in Snowden’s revelations about the NSA’s mass surveillance practices. When EU data is transferred onto U.S. facilities, the NSA is able to access it, and therefore the European Right to Privacy is not respected.

The invalidation of Safe Harbor means the framework has been deemed illegal. The Helsinki Times even went as far as stating that using Safe Harbor might constitute an offense, which could carry a maximum punishment of one year in prison.

Companies addressing EU consumers and using the Safe Harbour framework in their analytics set-ups should at least know which vendors should replace their clauses. In this respect, it will affect vendor management, something that is not well governed when we look towards digital and ad tech.

Implied vs Explicit Consent

In the new data privacy world, it is important for both the consumer and the business to know the difference between implied and explicit content.

Explicit consent means that a user visiting a website must explicitly hit a button acknowledging they understand the website owner will collect data before they can proceed.

Implied consent occurs when a user browses a site, and by implication agrees he or she understands some data will be collected as “strictly necessary.” The Ensighten privacy solution handles both models.

How Can Ensighten Help?

Ensighten’s approach to data privacy is threefold. First, our tag management system is uniquely architected to keep sensitive data out of the browser. By contrast, the free and client-heavy tag management tools make data readily available in the browser—for competitors to view, for cyber-criminals to steal, and to increase risk overall. Our privacy layer wraps around our entire platform and is foundational to every Ensighten solution.

Second, we include monitoring for potential data risks as part of our core solution, so marketers can ensure customer data is protected and only made available to trusted partners and sources. While these capabilities exist today as part of Ensighten Inform, look for more explicit privacy monitoring reports and dashboards coming from Ensighten soon. Marketers who live and breathe data will need sharp visibility into the potential risks that data brings—especially as the new legislation goes into effect.

And third, but not least, Ensighten provides patented privacy gateway enforcement. We enable marketers to create easy, consumer-friendly opt-out experiences in everyday language that any user can understand. While our enforcement solution is popular with our European customer base, the impending legislation has quickly moved the solution onto the radar of our US-based global customers. Stay tuned for future blog posts as we explore how US-based brands can learn from EMEA marketers as we embark on this new era of global data privacy protection.

The post What is data privacy & why it’s important in 2018 appeared first on Ensighten.

The past year has seen many hard-hitting data breach headlines, which have laid waste to the reputations of numerous businesses globally.  The EU’s General Data Protection Regulation (GDPR) forced many organizations to improve their cyber security practices earlier this year, followed by the impending 2020 California Consumer Privacy Act (CCPA). But, these have not been enough to prevent data breaches from occurring.

TalkTalk, Vision Direct, NewEgg, Ticketmaster, Dixons Carphone and Butlin’s are just a few businesses that have been affected this year. These breaches don’t only present a danger to the customers who have had their personal data and PII stolen, but also to the businesses that risk having their hard-earned reputations destroyed virtually overnight.

The cost implications of putting robust security measures in place

A common cause of a data breaches the reluctantancy to spend the money and resources required to ensure that website security systems and procedures are in place. Businesses must look beyond traditional cyber security measures to enable protection against third-party technologies which could compromise the security of the website supply chain. This is undoubtedly a false economy when compared with the true cost of a data breach.

Research has found that website security spending is on the rise, but this has not put a dent in the number of breaches. Ponemon’s 2018 study ‘Data Risk in the Third-Party Ecosystem’, suggests that one of the biggest risk factors is businesses failing to understand how third-party providers and technologies use and secure their data. In fact, 59 percent of organizations said they rely on third-parties to notify them when their data has been shared.

The immediate impact of a data breach

The immediate negative impact of a data breach is clear; the company’s name is invariably dragged through the press and the damage this has on a  company’s reputation and the trust customers have in the organization can be huge.

Research has shown that up to a up to a third of the customers, healthcare and finance businesses will discontinue their relationships with organizations that have been breached. But, that’s not all; companies that experience a breach will often see an increase in the cost of acquiring new customers.

The longer-term impact of a data breach

Long after the initial consequences of a breach have been felt, there are a number of pernicious, longer-term effects that can cause significant damage to a business. These indirect costs impact on the business’s ability to rebuild months and even years after the cyber attack.

·       Damage control

One of the greatest longer-term impacts of a data breach comes in the form of damage control. Many customers and victims of a data breach will rightfully seek compensation for the losses they incur from the company. That often takes the form of legal action, even when the financial losses cannot be quantified.

In the recent TalkTalk data breach, the company allowed customers who were affected to leave their existing contracts. In this case, as well as affecting the firm’s ability to attract new customers, it also lost much of its existing business.

But, the true extent of damage control doesn’t stop there. Following a data breach, the cost of repairing and remediating a company database or website can be substantial. A big part of the remediation involves changing the business’s processes and employee behaviour, both of which takes a significant amount time.

·       The loss of intellectual property

Losing customer data to hackers is extremely costly, but it is something a business can recover from eventually. The loss of intellectual property, on the other hand, could threaten the business’s survival. Intellectual property is at the heart of the 21st-century company. In fact, it can constitute up to 80 percent of a company’s value.

With more information about the impact the loss of intellectual property could have on a business, executives are now beginning to better align their cyber security programmes with their IP management, but many organizations still leave these critical assets dangerously exposed.

·       A falling share price

Another longer-term impact of a data breach is the loss of internal and external confidence in the business, which inevitably leads to a fall in the share price. Research has shown that there’s an average 5 percent drop in a firm’s share price on the day a breach is announced.

The damage done to a brand’s value is not something businesses can quickly bounce back from. In fact, companies that do not respond quickly to an incident can expect a share price decline that lasts an average of more than 90 days.

You are only as strong as your weakest link

While third-party technologies like ads, analytics, trackers and social-media buttons provide great functionality, interaction and even revenue-generating opportunities to your website, they also can come with cyber security risks if you do not have the correct website security measures in place. Ensighten MarSec enables website protection to keep your website supply chain secure. Get in touch to find out more or schedule a demo today.

The post The Importance of Website Security: Unforeseen Long-Term Impacts of Data Breaches appeared first on Ensighten.

In the world of website security, there’s an ever-changing array of threats and technological advancements that come along seemingly every day. One thing’s for sure, the sophistication and scope of attacks will continue to grow, but so will the arsenal of tools webmasters have to defend their website and customer data.

After a year punctuated with high profile data breaches, website security is sure to be an issue at the forefront of every business leader’s mind. But what are some of the most prominent website security trends we expect to see in 2019?

1.     The methodology of attackers is changing

In the year ahead, website security experts expect to see a shift in the modus operandi of cybercriminals. Instead of stealing data, as has been done so many times in 2018, attackers will instead threaten to undermine the integrity of the data, with potentially catastrophic effects.

A data integrity attack involves the manipulation of data rather than its theft. In 2016, the World Anti-Doping Agency (WADA) was the victim of this type of attack, when data about famous athletes was not only breached, but it was also manipulated to try and damage the reputations of clean athletes.

The potential damage data integrity attacks can cause is huge. Entire stock markets could be poisoned by manipulated data such as sales figures, which could artificially inflate or deflate the value of a company’s stock. Even infrastructure such as the power grid, traffic lights and the water supply could be at risk.

This type of attack can be particularly damaging because it can have a much longer-term effect on the business. Consumers may no longer trust an organization’s data, which could bring an entire company down. The attacks can also go undetected for years, further increasing the extent of the damage.

2.     Multi-factor authentication will become the norm for online transactions

Only using a password to access websites and other online services currently makes life very easy for cybercriminals. Although it may not be welcomed by consumers initially, we expect to see multiple forms or optional authentication methods added to customer logins to boost the security of sites. This will help to provide an additional line of defence against the hugely damaging phishing attacks.

3.     Clearer internal understanding of the responsibility for cybersecurity

One of the biggest problems many businesses currently face is failing to assign and communicate responsibility for protecting their websites and data effectively. In a previous blog, we referenced a study by The Ponemon Institute, which found that both IT and Marketing Managers think that responsibility for customer data security lies with the other party. The result is that many sites are left unsecured and open to a potential data breach. In 2019, in response to the high-profile data breaches of 2018, we expect to see more defined responsibility cross-department to ensure that there is someone with ultimate ownership of the company’s marketing security.

4.     Protecting against smarter AI

One of the big concerns many businesses have for the year ahead is that hackers will start to leverage artificial intelligence (AI) to find new ways to infiltrate websites and apps at scale. We recently discussed this point in an article that was published on TechRadar Pro.

With every type of attack prevented, hackers create new and more sophisticated ways to breach the standard defences. The worry is that AI could be the ‘next big thing’ for the attackers, allowing them to configure and learn defence tools and bypass even the most advanced security implementations. This is something cybersecurity professionals will have to work hard to counter in 2019 through various measures including website marketing security.

5.     The start of cyber-risk insurance

With cyberattacks costing the global economy an incredible $600bn annually, it’s perhaps little surprise that businesses are looking for new ways to protect themselves against the colossal risks. As a result, we expect to see cyber-risk insurance become an increasingly common part of the operational risk strategies many firms put in place.

At the moment, there is a fairly limited range of policies available. However, in 2019, we expect to more and more cyber-risk policies that are tailored to the specific risks smaller and medium-sized businesses face. That could include cover for the loss of reputation and even the loss of future revenues from negative media coverage, although clearly, such policies will not come cheap.

Protect your website in 2019

67 percent of businesses are yet to implement marketing security for their website and are putting their customers and their reputations at risk. Ensighten MarSec provides protection against data risks to keep your website customer data secure and safeguarded against data breaches in 2019 and beyond. Get in touch to discuss your requirements or arrange a demo today.

The post 5 Website Security Trends you’ll see in 2019 appeared first on Ensighten.

What GDPR, CCPA and a heightened focus on data regulation worldwide means for businesses

2018 was a landmark year for data privacy.

Some of the biggest companies in the world fell victim to data breaches, compromising the personal information of millions of people worldwide. Whether through sophisticated cyberattacks, software glitches or the simple mishandling of customer data, the likes of T-Mobile, Quora and Google were among the big names forced to admit they suffered breaches.

Some were repeat victims (or offenders, depending on how you look at it) of data breaches. Facebook suffered several major breaches and incidents that affected more than 100 million of its users in 2018.

It is therefore little wonder that US consumers are increasingly concerned about how their personally identifiable information (PII) is handled. One report by SAS shows that almost three-quarters (73 percent) of consumers said their concern over the privacy of their personal data has increased in the past few years, while another report puts the figure even higher, with almost 88 percent of US consumers harbouring concerns when it comes to the privacy of their PII data online in 2019.

GDPR: a blueprint for the US and the CCPA?

2018 was not only a milestone year in terms of the frequency and scale of cyberattacks; the Global Data Protection Regulation (GDPR) was introduced by the European Union (EU) in May 2018 to not only help regulate against such occurrences, but to put the power back into consumers’ hands when it comes to data privacy.

Now in 2019 the US is set to follow suit. This has started at individual state level with the California Consumer Privacy Act (CCPA), which will take effect in 2020. The act is designed to provide Californian residents with access to any personal information that is being collected about them, and to find out whether their PII is sold or disclosed and to whom – as well as the power to deny the sale if they wish.

Elsewhere Vermont has become the first state to enact a law regulating data brokers who buy and sell personal information.

The move to ensure consumer data privacy rights are also being taken up at federal level with the US Senate holding its first committee meeting in September to examine how lawmakers can protect consumer privacy. Further, in early November the Consumer Data Privacy Act was proposed, a bill that emulates GDPR that would penalize CEOs in addition to the companies.

The incoming regulations reflect increasing demand from US consumers for greater data privacy rights. According to SAS:

• 83 percent would like the right to tell an organization not to share or sell their personal information
• 80 percent also want to know where and to whom their data is being sold
• 73 percent said they would like the right to ask an organization how their data is being used
• 64 percent would like the right to have their data deleted or erased

GDPR compliance – ignoring it is risky business

Crucially, another recent global survey shows that more than two-thirds of consumers would walk away from an organization if it suffered a data breach where their financial and sensitive information was stolen. Ninety-three percent of those questioned say they would place the blame at the door of the business and would think about acting against them, with retailers, banks and social media sites considered the most ‘at-risk’ offenders when it comes to data breaches and failure to uphold GDPR compliance.

The loss of business and the severity of fines now imposed on organizations following a data leak, alongside the long-lasting financial and reputational damage, mean it is crucial that any company that collects or leverages user data on its website takes every possible precaution to prevent a data breach and ensure they take GDPR compliance seriously.

For example, if you use marketing tags, chat boxes or freeform fields to collect data from visitors to your website, it is your responsibility to protect that data from misuse or theft. Even so early into 2019, Singapore Airlines (SIA) has admitted a software glitch on its website was behind a data breach that affected 285 members of its frequent flyer programme, compromising their personal information including passport and flight details.

The good news is that marketing security (MarSec) solutions enable you to manage your customers’ data on your website and help prevent the data leakage and help safeguard your GDPR compliance efforts. It means that any data collected from your customers can’t be exploited by hackers and cybercriminals.

It doesn’t matter where you are in the world – governments and lawmakers are tightening the net when it comes to data privacy. Speak to Ensighten about how MarSec can help you navigate the new privacy laws and avoid any last-minute scramble to achieve compliance.

The post GDPR Is Just the Beginning: New Data Privacy Laws Pile on Pressure for Businesses appeared first on Ensighten.

Attacks on web applications account for 40 percent of cyberattacks – how secure is your website?

Your website is one of your most valuable assets. For your customers it can act as a shop window to your products and services, a source of valuable company information, or a full retail trading platform.

For your organization, your website is invaluable for generating new business and providing insight into visitor behavior and preferences. However, this also makes your website a prime target for attack by cybercriminals looking to harvest company and customer data. In this post we’ll explain what website security is, why it is so important and how you can go about ensuring your site is protected.

What is website security?

There are several common attack methods that criminals employ when targeting company websites.

One method is to leverage third party technologies to sneak in ‘the back door’ to your website. These services provide value to visitors’ engagement with your website in the form of live chat bots, social media buttons, or advertisements. The problem is that third-party vendors can often make changes to their scripts without any permission from your website, creating a security blind spot which hackers can exploit while your security and IT teams may be completely unaware of the problem.

However, attacks on web applications through cross-site scripting (XSS) – where attackers inject malicious scripts into an organization’s website – accounted for almost 40 percent of the top ten exploits in Q3 2018.

Attacks can also be carried out by modifying the DOM environment in your site’s browser – with the vulnerability in the client-side code rather than server-side, this type of attack is harder to detect, as the server never gets a chance to see the attack taking place.

Here are a few examples of other automated threats to web applications:

Scraping and Data Theft: Hackers use bots try to access restricted areas in web applications to get a hold of sensitive data such as access credentials, payment information and intellectual property (IP).

Performance: Bots can impact the availability of a website, bringing it to a complete or partial denial-of-service state.

Spammers and Malware Downloaders: Targeting mobile and web applications, criminals use sophisticated techniques like spoofing their IPs, mimicking user behavior, and abusing open-source to bypass CAPTCHA, challenges and other security heuristics.

The dangers of Laissez-Faire attitudes to web security

What’s worrying is an apparent lack of awareness or responsibility when it comes to cyber security, even among the most popular websites. Research by WatchGuard shows 6.8 percent of the top 100,000 websites use insecure SSL protocols, and 20.9 percent do not use web encryption at all, leaving fully open to data interception or man-in-the-middle (MitM) attacks.

One recent example of inadequate website security is the Nova Scotia government, which has been criticised for “poor overall project management” and a “serious failure of due diligence” after a series of data breaches to one of its websites exposed 7,000 documents containing citizens’ personal information.

The information and privacy officer for the region has recommended the government conducts an inventory of technology solutions, devices and applications across the government and rate their vulnerabilities while creating a plan to mitigate cybersecurity vulnerabilities.

Unfortunately, this is not an isolated incident. Our research show that 87 percent of enterprise businesses do not review the security of their customer data, indicating an apathetic approach to website security. If exploited, this can have a serious impact on the business, as many organizations have discovered in recent years.

It doesn’t matter if the website is public sector-run, holding data such as social security numbers or medical information, or a retailer that stores their customers’ credit card or bank details – the fallout can be dramatic, and costly.

Understanding the risks of poor website security

Latest figures calculate the average cost of a cyberattack now exceeds $1 million (£780,000), an increase of 52 percent over the past year. Radware’s recently published 2018-2019 Global Application and Network Security Report, says this figure takes into account operational and productivity losses, combined with negative customer experience.

• 43 percent of firms reported negative customer experiences and reputation loss following a successful attack
• 37 percent suffered brand reputation loss and one in four lost customers
• 54 percent reported loss of productivity

Breaking these costs down further, the most common expenses following an attack or data breach include:

• Direct costs: Extended labor, investigations, audits, software patches development, etc.
• Indirect costs: Crisis management, fines, customer compensation, legal expenses, share value
• Prevention: Emergency response and disaster recovery plans, hardening endpoints, servers and cloud workloads

Increasing threats

The number of organizations under attack from cybercrime is also on the rise. The same report shows that most organizations have experienced some type of attack within the course of a year, with only seven percent claiming not to have experienced an attack at all. Those who reported the highest damage are from retail and high-tech sectors.

• Data leakage and information loss remain the biggest concern to more than a third of businesses, followed by service outages
• Application-layer attacks cause considerable damage; two-thirds of firms experienced application-layer DoS attacks and 34 percent foresee application vulnerabilities being a major concern in the coming year
• More than half reported making changes and updates to their public-facing applications monthly, while the rest made updates more frequently, driving the need for automated security

Website security checks: a necessity

In light of the heightened risks associated with a data breach, consistent monitoring the security of your website is a must. However, it can be difficult to track and manage all your third-party technologies, plus any other technologies that piggy-back on these.

This is where you need a website security solution like our MarSec platform, which enables you to feel confident in your website security posture, while having the flexibility to run your business.

MarSec prevents data leaks by inspecting the onward content contained within JavaScript requests. It also helps you manage third party technologies by whitelisting approved vendors and managing and updating policies in real time.

The website security solution also fixes the problem of client-side vulnerabilities by extending protection beyond your company network to other susceptible areas.

With high-profile cyberattacks an increasingly common occurrence, it pays to be proactive in your approach to website security checks, because as we’ve seen, the fallout from a data breach can have catastrophic implications for your business.

The post What Is Website Security? appeared first on Ensighten.

A home to hackers, the dark web means it has never been easier to target personal and customer data

2018 saw criminals once again target organizations – of all sizes, and across industries and market sectors – with a series of cyberattacks that continues to escalate in complexity, scale and frequency. Many of these attacks were launched with one goal in mind: stealing data.

Data is a valuable, and much-sought after currency in today’s digital world. Whether its confidential company information like banking details, employee records, Intellectual Property (IP) documents, the credit card details, logins or Personally Identifiable Information (PII) of customers, all stolen data has a value to the thieves, which is why data protection should be a top priority for any business.

The dark corner of the internet – what is the dark web?

The increase in data theft is fuelled, in no small part, by the dark web. Where criminals would once fence their stolen goods via a network of shady contacts, this dark corner of the internet does much the same job. Operating under the anonymity afforded by trading in cryptocurrencies, the dark web is where data is bought and sold for a price. The dark web is often confused with the deep web, however the two are different. The deep web refers to the entire internet – most of which is not indexed and therefore won’t appear on search engines. The dark web specifically refers to the criminal activity taking place on this unindexed portion of the internet.

The data varies in value. For example, personal information that cannot be changed as easily as a credit card or bank account reportedly is highly valuable to cybercriminals and drives a high price on the dark web.

However, the dark web isn’t just a place to buy or sell stolen data; it also promotes and enables cyberattacks by making hacking tools easily and cheaply available to anyone with a laptop, making it a threat to all web security. 2018 research by Virtual Private Network (VPN) comparison service Top10VPN.com, showed that fraudsters can access hacking tools on the dark web for the cost of a cheap takeaway coffee.

Entry-level hacking tools, such as ready-made phishing pages, software to compromise Wi-Fi networks and files to help hack passwords all go for less than $3.95 (£3) on the dark web. But even comprehensive hacking toolkits be picked up for around $130 (£99), according to the research.

Coupled with the availability of how-to guides on the dark web – meaning rookie hackers need no prior knowledge of web security or on how to carry out attacks – the report notes that there’s a ”real concern that online fraud could be becoming more commonplace.”

“The perception that hacks are purely the territory of techy bedroom warriors or organizations like Anonymous is increasingly a thing of the past – and all consumers need to be aware of that,” it explains.

Hacking for beginners

Many experts believe this situation will only get worse. Individuals won’t have to belong to a well-known hacking group like Magecart, which was responsible for stealing customer data from Ticketmaster UK last year among other high-profile breaches, to be able to launch a successful attack on an organization by exploiting flaws in their web security.

As we’ve seen from the headlines, the fallout of a data breach can be devastating. While it varies considerably based on things like location, industry, compliance considerations, third-party involvement, insurance protection, etc., the 2018 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the average cost of a data breach in the United States at $7.91 million (£6.1 million).

Some more shocking statistics: the average time to identify a breach was 197 days, and the average time to contain a data breach once identified was 69 days. However, companies who contained a breach in less than 30 days saved over $1 million (£760,000) compared to those that took more than 30 days.

Protect your website

One area of the business that’s frequently targeted by hackers is the company website, often a goldmine of customer data. The good news is, there are several ways to safeguard this data and prevent a breach.

With criminals known to inject malicious JavaScript code into organizations’ websites, it is a good idea to look for a website security solution like our MarSec platform, which prevents data leaks by inspecting the onward content contained within JavaScript requests.

Another vulnerability often exploited by groups like Magecart stems from the use of third-party vendors on your website, which hackers can use as an entry point to your organization, compromising your website security. MarSec can help you manage third party technologies by whitelisting approved vendors and managing and updating policies in real time.

With the dark web’s law of supply and demand powering cybercrime from behind the scenes, it has never been more important to ensure your organization is protected from a crippling data breach.

The post The Dark Web: Fuelling Cyberattacks on Your Business appeared first on Ensighten.

In this current era of digital transformation, your website as a digital platform has never been more important to your business. Websites are evolving to offer cross-channel, personalized and user-centric web experiences to match increasingly high customer expectations.

Yet despite significant investment from companies into getting the look, feel, and user experience right on their websites, many fail to address perhaps the most important aspect: website security.

It seems incongruous that despite being a highly-valued entry point for customer interaction and a repository for a wealth of personal and financial customer data, the front end – or the client-side – is considered the most vulnerable part of a website. As such, it is often targeted by hackers looking to steal valuable customer data.

JavaScript vulnerabilities

Most websites today use JavaScript, which can be used to capture data around the customer experience, as well as performance metrics for the website. Unfortunately, there are some inherent dangers associated with JavaScript, as it can be manipulated by hackers and threaten your website security. Most commonly, they can inject malicious code to steal customers’ financial details.

There have been some high-profile examples of this type of cybercrime, most notably the use of ‘skimming code’ – otherwise known as digital payment card skimming (DPCS) or formjacking – by criminals to scrape website users’ credit card details and other information from payment forms when they are completing an online purchase. They will then use those stolen details to perform payment card fraud or sell them to other criminals on the dark web.

Pertinently, PCI compliance prevents customers from storing their three-digit credit card security code on a website’s servers, so it makes sense for hackers to focus their efforts on the client-side of the website, to capture those details as they are entered.

Magecart attacks

The most notable attacks of this kind have been carried out by a collection of cybercrime groups known as Magecart, who were reportedly responsible for at least 319,000 cyber incidents in 2018. For example, Magecart targeted online retailer Newegg by injecting 15 lines of skimming code on its payments page, which remained undetected for more than a month during the summer or 2018. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name. The server even reportedly used an HTTPS certificate to avoid suspicion.

The group exploited another client-side website security vulnerability in its 2018 attack on Ticketmaster UK, compromising a chatbot originating from a third-party customer support company. While third-party vendors like social media buttons, ad trackers and chatbots increase the functionality of your website and improve the customer experience, they can also be a security blind spot if you do not have the correct cyber security measures in place.

This is compounded by the fact that there can be malicious changes to the code base that can occur entirely without your knowledge, unsurprisingly leading to a massive gap in your cyber security measures. Indeed, Ponemon research shows 59 percent of companies say they have experienced a data breach caused by one of their third-parties.

But it’s not just enterprises that need to worry about web security. Governments have a duty to make their webpages accessible to everyone, and as part of this, use plug-ins to read text on the site out loud to blind or partially sighted visitors. One such plug-in, called Browsealoud from Texthelp, was compromised by hackers who altered its source code to inject a crypto mining code into every webpage, affecting more than 4000 government websites around the world.

What can I do to secure my website?

There are products available that can help defend your website from client side attacks – to an extent. A Content Security Policy (CSP) can help prevent cross-site scripting (XSS), clickjacking and other code injection attacks, but there are still gaps in its capabilities, and it can often mean a trade-off between website security and functionality.

In addition, Subresource Integrity (SRI) can check for any code changes in any assets served by a third-party vendor to ensure they haven’t been compromised. However, SRI can struggle to keep up with the regular updates from third-party vendors and frequent changes to source code. The bottom line is that neither are fully effective against attacks in a rapidly evolving threat landscape. Download our guide to learn more.

You need next generation website security to ensure your data security is working and your business is safe. Ensighten can help you protect any and all client-side data against all the threats we’ve discussed. Our MarSec solution provides you with a real-time view of all the technologies running on your website and perform a full privacy risk assessment as web pages are loaded. It can also prevent malicious web injects by only loading resources that are explicitly whitelisted, and block everything else.

In addition, Ensighten can stop JavaScript-based cryptojacking or cryptomining, as we saw with the breach of the government websites. It can also add a level of cyber security to prevent formjacking attacks like the one launched on Ticketmaster UK by allowing control over third-party JavaScript that is given permission to operate within the user’s browser.

As we’ve seen with just these few examples of client-side attacks, you can no longer overlook or dismiss the potential vulnerabilities within your website. The time to secure your website and your customer data is now.

The post Is Your Website a Security Blind Spot? appeared first on Ensighten.