Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are safely managed, then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can't afford to allow tags to go unmanaged or become misconfigured.
Read the full case study here.
Google Tag Manager saves website owners time and money. Its visual interface lets them attach tracking tags to their sites and then modify them as needed without the need to call a developer every time. Such tags gather the marketing and analytics data that power growth, and GTM makes them easier to manage, but with strict rules around data privacy to consider, you can't trust it completely; it needs active oversight.
The ticket seller
A case in point that we recently became aware of involves a global company that sells tickets to live events. With global operations it's important to establish who has overall responsibility for a particular function, but in this case, that was lacking. In a culture where the lines of responsibility aren't clear, it isn't surprising that a marketing team outsourced something to an external company because it saw it as a security concern it could offload rather than a marketing issue.
Download the full case study here.
The task was the management of its Google Tag Manager usage. The team may have felt that marketing and growth were their priorities and so this move made sense, but security is one of those strands that runs through everything. The consequence of outsourcing this work was a data breach because the contractor didn't catch a misconfiguration.
GDPR, CCPA, the Cyber Resilience Act, and other privacy-related legislation require companies not to let this happen. They must protect their customers' data and obtain their explicit permission before collecting and sharing it, and because of the misconfiguration this didn't happen. Getting it wrong in this way can be very expensive both in terms of money and reputation, not to mention the fact that cybercriminals have used Google Tag Manager as a vessel for conducting web skimming and keylogging attacks. You can read more about the details of this story in our case study.
How big a problem is misconfiguration?
As we explored the case of the global ticketing company, we became curious about Google Tag Manager and wondered how widespread this kind of problem might be. We wondered how many other companies might be exposing themselves to potential multi-million-dollar class action lawsuits brought by masses of individuals whose data they have shared without permission or against local privacy regulations, and how many might be at risk of attracting big penalties from data privacy watchdogs and industry regulators?
The sample study
We decided to look at a sample of 4,000 websites that use Google Tag Manager. It turned out that they connect an average website to around five applications, and that 45% of these apps are used for advertising, 30% are pixels and 20% are analytics tools. Here are the apps that we found users connecting with Google Tag Manager the most, in order of popularity.
For more information, read the full case study here.
The risk
We found that across all industries, Google Tag Manager and its connected apps account for 45% of all risk exposure among users. Overall, 20% of these apps are leaking personal or sensitive user data due to a misconfiguration.
Misconfigurations showed up in the applications below, which account for 85% of all cases:
Oh, the irony!
Ironically, we found that Google Tag Manager itself is responsible for the most cases of misconfigurations that might leak user data and land the website owners who unquestioningly trust it in hot water.
Now, this is not an attack on Google Tag Manager, because it's a very useful and effective tool when handled safely. Our intention is to point out the dangers of not managing the potential risks that come with using it, and to encourage you to read all about the many practical ways of ensuring that your tags behave themselves.
Continuous protection
In considering tactics, techniques, and procedures in cyber, organizations must consider employing a continuous web threat management system, such as Reflectiz. Its digital tag management and security tools give your teams complete visibility and control over tags issuing alerts on any changes to tags (and in fact any code on the website) for review and approval. It satisfies the conflicting priorities of both marketing and security teams, allowing Security to do the gatekeeping without restricting the growth and innovation ambitions of Marketing. Read the full case study to find out more.