How to overcome the many tech battles MOPs teams face daily
From security updates and web application firewalls to regular system hygiene, marketing technologists have multiple options to safeguard their brand from malicious activity.
Martech practitioners face many different challenges beyond those related to organizational politics. Unfortunately, there are bad actors out there to keep us on our toes. As hybrid professionals, we shouldn’t just leave these challenges to the techies — isn’t “tech” our specialty?
Most of these battles are with spammers, bots, hackers, and other bad actors, but there’s little need to feel helpless. When it comes to countermeasures to thwart them, there are many options.
Honey Pots. I’ve seen a couple of different types. One is placing a field on a form that’s hidden by CSS. Humans won’t see it, but bots will see it in the code. So, if that field is filled out, then a submission is rejected. Second, there’s a timing strategy. A form submission that occurs quicker than two seconds of page load should throw red flags.
However, keep in mind that with browser auto-fill functionality, one shouldn’t make this too stringent. In addition to flagging a suspiciously quick submission, it may also make sense to consider submissions that take too long. Using web analytics data can help provide guidance on how to address timing by looking at behavior on forms.
reCAPTCHA. Have you ever been asked to identify the characters in a fuzzy image, the pictures with cars in them, or words scanned from a book? That’s reCAPTCHA. These tools can help fight spam and other fraudulent activity. Despite this, there are some things to consider. First, there are accessibility concerns; be sure to offer validation options for site visitors with accessibility needs. Second, in my experience, I’ve seen spammers evade this countermeasure by spoofing successful reCAPTCHA (in fact, I’m referring to Google’s tool) responses. So, keep an eye on them.
Security Updates. Keep your applications and systems updated! There are a variety of angles to consider here. For instance, I have managed several opensource CMS websites for clients in the past, and all of these platforms have security concerns that vary in severity. There were times when spammers would deface the site using a particularly insecure platform, and the vulnerabilities came through core code and plugins. In order to address the defacement, we would restore the site from a backup and then apply updates to plug holes.
Opensource doesn’t necessarily mean insecure; some communities are very active and robust with their security. So, it’s important to tap into the security channels and update code when warranted. Even closed platforms release updates on a defined cadence. In many cases, platforms and communities will also communicate about security updates to underlying code libraries.
Further, there’s more to worry about than the application. There’s the server, its operating system, and other software. Hosting companies typically assume responsibility for these layers and will inform their clients of updates and any brief impacts to availability. Organizations managing their own infrastructure need to stay on top of this.
Web Application Firewalls (WAF). These firewalls put additional layers between people and the servers and databases serving the website. They’re typically paired with Content Delivery Network (CDN) services. WAFs monitor wide swaths of internet traffic and try to proactively block suspicious traffic (like spammers and malicious bots) and even absorb DDoS attacks while protecting a site’s underlying infrastructure. For instance, if they see sketchy behavior on a site from an IP address range, the provider can block that for the other sites it serves. Or if they notice that hundreds of smart baby monitors are hitting a specific site, it can block that traffic, too. This is a particularly valuable tool to combat bad actors.
Regular System Hygiene. This includes active user management among other tasks. It’s important to review who has access to a system to determine if they’re still with the organization or need access anymore. Each account is a vector of attack. Another important practice is to review user roles and permissions. Platforms like Drupal provide rather granular permissions control, and sometimes it requires some consideration of the consequences of granting specific rights.
These aren’t perfect solutions, but they’re better than nothing. Bad actors are competent, persistent, and eager to neutralize countermeasures. So, this is an ongoing battle, which means our IT security friends have job security.