I’ve been on the record for quite a while about the importance of the chief marketing officer (CMO) caring about security and having a close relationship with the chief information security officer (CISO). There is an obvious and urgent need for the roles to collaborate on a crisis communications plan and to work together to execute it in the case of a breach. But there is a connection that may be less obvious to some: A company’s web presence and e-commerce capabilities are key pillars of growth, even for those that are more brick-and-mortar than born-on-the-web. The CMO typically owns a company’s web presence and must work hand in hand with the new chief digital officer (CDO) role, which often owns the e-commerce channel. These attack surfaces must be protected from the constantly evolving threat landscape, clearly the realm of the CISO.
There are subtle high-level similarities in the CMO, CDO and CISO roles. The CMO is chartered with growing and protecting the brand, and in most cases, the corporate website is the most tangible example of the brand. I like to call it the “real corporate headquarters.” The CDO is responsible for driving growth by using online technologies and data, often referred to as digital transformation. The CISO is chartered with protecting information and technology assets, of which the web and e-commerce sites are often the most exposed. And while marketers are typically well suited to run “defend the brand” campaigns, a new kind of digital defense is also necessary: guarding against the malicious activities that are likely happening on the corporate website, unbeknown to anyone in the C-suite.
I’ve recently become aware of a new threat that CMOs, CDOs and CISOs need to know about: client-side browser malware. Yes, that’s a mouthful. Here’s what it means. Browser malware consists of extensions, pop-ups, clickjacks, ad injections, banners and coupon redirects that appear as if they are coming from your site, when in fact they are not. They travel with the infected user on the browser. When infected users visit your website, they see pop-ups and ads that disrupt their path to purchase and your ability to convert them into paying customers. These ads are often in the unsavory not-safe-for-work (NSFW) category. They block links and buttons that the visitor is trying to use to add an item to a shopping cart or complete a purchase. And they tend to be persistent, popping up even after a smart user refreshes the page.
In addition to the NSFW variety, other ads might offer coupons for use on the site, place a referral code on the user’s computer, reroute them back to the original site or divert the visitor to another site with similar products — sometimes counterfeit ones, and often cheaper! The CMO and CDO will never see these ads because even though they appear to be part of your site, they are not. Nonetheless, they can damage your brand reputation by diverting a visitor's path to purchase and leaving the visitor wondering why an NSFW ad showed up on your site.
Let me give you a recent personal example. I was shopping for a designer handbag for my mom for the holidays. When I went to the site of the brand my mom likes, I saw an ad for $70 handbags. It was a huge value, so I clicked on it. I went through the entire purchase process, including sharing my credit card number, before I realized that I had been diverted to a shady site that was likely harvesting my personally identifiable information. Yes, I did this, and I work in security. Needless to say, this can very easily happen to anyone.
So what do today’s CMOs and CDOs need to know and do?
- First, pay attention to your data, since it can give you indicators that something is wrong. Do you have huge growth in abandoned shopping carts? Are you seeing a change in bounce rates? Is there a spike in referral fees, particularly from one referring site? These are indicators that unwanted ads and scripts are redirecting your valuable web visitors. Pay attention to them! Dig into your data. If you ask the right questions, it’ll tell you what is going on.
- Second, consider running a survey of visitors to your site. Ask them if they are seeing NSFW ads on your site or being redirected to another site. Then, pay attention to their feedback and complaints. You may hear from a visitor that they were put off by an unsavory ad. They’re probably scratching their head in disbelief wondering why they can’t purchase your shoes, clothes, jewelry, beauty products or tickets.
- Third, build a relationship with your CISO. While the issue you are facing is more subtle than a volumetric distributed denial of service or account takeover attack, it still demands your attention. Work together to find a solution that protects your website and e-commerce applications from the clickjacks and redirects that they are experiencing.
In short, CMOs and CDOs need to extend their thinking for how they defend their brand and grow their digital businesses. Standard campaigns and approaches are important. Keep doing those! Also, be open to new approaches that include working with your CISO and investing in tools to keep your brand reputation and revenue safe. Because what you don’t know can hurt you.