Why You Should Start Caring About Oversharing

Today’s website owners are focused on building a great online experience for their users. Digital transformation is all about shifting how we do business and offer services – and today’s rich web experience is part of that revolution. But all that usability comes with a hefty risk price tag. Think about it: modern websites are essentially a conglomeration of web-enabled assets, a massive global supply chain that nobody really thinks about as such. And that’s a big data privacy problem that’s about to get a lot bigger.

What all these connected parts have in common is JavaScript. “Write once, run everywhere,” has been the backbone of the rich web – but that portability has massive implications for both data security and data privacy. The Magecart cybercriminal syndicate is driving awareness of the security aspects – but many businesses seem unaware of the growing privacy implications of uncontrolled data sharing by trusted web applications.

The Elephant in the Room: The Web

When it comes to really understanding – and tackling – data privacy risks, the web is the elephant in the room. Enterprises understand the clear need to secure their databases, and are constantly monitoring how they store customer information and sensitive data while forgetting where so much of that sensitive data is evoked: on the web, entered into the browser by the customer.

When the same applications and integrations that deliver this rich user experience and insight also share that sensitive information with third, fourth, fifth-and-beyond parties outside your organization’s control, you could be sharing more than you or your customers have bargained for. And it’s time that we, as website owners, ask ourselves if we’re really doing enough about that and really understanding these emerging risks. It’s time to start caring about oversharing, because if we don’t, it won’t just be the regulatory authorities who call us to account; our increasingly privacy-aware customers will, too.

Start Caring About Oversharing

Forms found on 92% of websites exposed data to an average of 17 domains – climbing to 20 if you happen to be a top mobile service provider in the EU, where (depending on the country) passport scans and copies of pay slips are among the documentation requested to sign up for a contract. That’s a lot of oversharing – and that’s before you take into account the multiple trusted applications on your site; Google Adwords, chatbots, marketing analytics, are all gathering data according to your own metrics and specifications. What you might not be aware of, however, is exactly what kind of data they’re collecting, or to what extent. Do you have full insight into how these third-party integrations use the data you collect?

Can you genuinely claim to know exactly where all this data is flowing? Do you know:

  • Which vendor has access to what sensitive data?
  • Which vendor actually reads sensitive data?
  • Which vendor shares sensitive data with other vendors?

Because if you don’t, you should. Regulations including GDPR and CCPA require enterprises to be aware of where sensitive data is flowing, as well as the purpose of these data streams.

Why the Web Matters

Unintentional data exposure is a significant, unaddressed problem for most of the world’s website owners. When we fail to secure data as it is entered into websites, we’re effectively leaving it hanging: the only reason it’s not being stolen is that criminals haven’t taken it. Yet.

Equally, when we overlook the need to understand how trusted applications share data, we run the risk of simply giving it away – without our users’ consent.

Everyone talks about security in depth, security beyond the perimeter and data privacy; it’s time to focus on the place where those things intersect: the browser.