The visible vs the invisible digital footprint of a company

Every company and every person connected to the Internet has a digital footprint.

Generally, the digital footprint of a company consists of the digital services and products a company uses to run their business. However, this is only the tip of the digital footprint iceberg.

In this blog post we would like to introduce a new viewpoint on what constitutes the digital footprint of a company. The idea is to better understand the implications of digital risks for the well functioning of your business.

A commonly used graphical representation of the digital footprint is the iceberg visual. The visible part of the iceberg sticking out of the water are the assets you expose on the ‘white web’. The 'white web' is accessible for everyone on the Internet. Exposed assets could be your websites and applications, client portals, DNS and email services, your FTP server, IP addresses, domains and subdomains, and so on. Many of these are also known as shadow IT. 

The part of the iceberg below the waterline, or the invisible part, is commonly known as the grey and ‘dark web’. The grey web are all the unknown or exposed assets that are exposed on the 'white web', where some form of authentication is required to continue further. A good example are your client portals and APIs that are exposed on the ‘white web’ where you need credentials to delve deeper. Lastly, we have the very bottom of the iceberg, the ‘dark web’. This is a part of the Internet that is only accessible through proxies and encapsulation. Contrary to common belief, the 'dark web' is not solely used for criminal activities. A lot of legitimate companies have a presence on the ‘dark web’ as well.

The visible digital footprint

It is no news that the global pandemic has brought about a new wave of digitalization. Remote work became a lot more wide-spread. Business which did not have an online presence are now online. Business which had a website are now investing in increasing their online presence, digital services and API-based interconnections with other companies.

As established companies and new companies compete for online space, their digital footprint on the Internet expands and becomes increasingly important for the bottom line.

The visible digital footprint of a company consists of the online identity or online brand maintained by marketing and public relations departments. 

The online reputation of a company results from the visible digital footprint, which can consist of news, ratings, posts in forums, public customer feedback (comments on social media, review posts or other content),… In terms of the managed online brand, businesses usually have a website, business accounts on social media platforms, or social media profiles. This part of the digital footprint is under the control of a business. On the flip side, a business has little to no control over news, ratings or customer feedback.

As such, one of the main risks that might occur is the fast dissemination of negative news or information which can impact the online reputation of a company. Depending on the seriousness of the incident, such events can have a real-life impact in terms of sales or profitability.

Some of these risks are under the control of the company, and some are not. However, it becomes the responsibility of the company to identify and manage its digital risks. The risks associated with the visible digital footprint will usually be managed in the marketing department. 

The invisible digital footprint

Supporting the visible digital footprint, there is the invisible digital footprint of your business. This consists of the company's digital assets, domains, subdomains, email infrastructure, IP addresses, and third parties. The invisible digital footprint also supports enterprise productivity, communications and business support applications. Digitization and digital collaboration via cloud services, APIs, or shared databases, third parties increase the invisible digital footprint. As such, third-party risk becomes a potential digital threat to a company.

An example that combines visible and invisible digital footprint is the launch of a new website by Marketing or HR without following the due diligence processes of procurement and/or IT (Security). While launched for the growth of the company, by not following the due diligence processes there is a risk of exposing confidential information or using an insecure third party or application. This can lead to a data breach or data loss which in turn can lead to reputational damage.

This to illustrate that as an IT(Security) Manager it can happen to no longer have a view on what is exposed to the Internet. Let alone an idea of the risks of all aspects of your digital footprint.

It can take time, effort, know-how and different tools to have an overview of a company's digital footprint. 

A list of most common invisible footprints includes: IP addresses, domains, subdomains, email addresses, websites and third-party software, API’s, client/supplier portals. 

An IP Address (Internet Protocol address)  is a unique address used to identify computers on the Internet. Knowing the IP of a computer means access to geolocation information, which can be used to target individuals using social engineering. 

A subdomain is a prefix added to the main domain to indicate a section of a website. We use subdomains to manage large sections that need their own content hierarchy, such as online stores. Subdomains function as a separate website from the main domain. Having access to this information, an attacker can map the architecture of an online business and identify vulnerable software to exploit. This can result in a data breach or service unavailability. 

An email address is an electronic mailbox that sends and receives messages on a computer network. Most of the time linked to one person, but can also be a shared email for a business or a group of people. Emails are public information and companies usually follow the same standard: [email protected]. This information can also be used in social engineering attacks, where for example a financial officer is persuaded to perform an urgent transaction in a crisis type of situation. 

A website is a collection of web pages under a common domain name. All public websites constitute the World Wide Web(www). Websites can be vulnerable in many different ways, such as when using an outdated browser. When a web application is vulnerable, an attacker can download personal and financial information from the site, and use it for its own gain.  

Third-party software or supply chain or outsourced software is any software such as applications, which is not created by the company using it. If your company uses cloud services for data storage this is an example of using third-party software. Ransomware is the most prevalent attack when using an unsecured 3rd party.  

An application programming interface (API) makes it possible for companies to connect their applications’ data and functionality to third-party collaborators. The idea is to allow digital services and products to communicate with each other and use each other’s data and functionality through an interface. Cyber risks are API breaches, which are common and can lead to data loss. 

Client or Supplier portal, or vendor portal, is a web interface or an integrated online platform used by companies and their vendors. It can be used for managing supplier information, submitting documents, displaying status, and communicating. Supply chain risk leading to ransomware or data loss is becoming the top risk when changing suppliers. 

The reason a business owner should care about these digital footprints is that there are a diversity of security risks associated with unsecured (invisible) digital footprints.  The risks go from data breaches to ransomware, service unavailability, to breach of regulatory compliance to reputational damage. 

As everything online becomes increasingly interconnected, it is critical to be aware of aspects like domains assigned to IP addresses owned by other parties, or vulnerabilities exposing your business to some potential intruders. At the same time, everything IT is more and more cloud-based, from cloud portals, to cloud providers it can be unclear where company IT infrastructure is located, and there is less and less company control of it. 

In conclusion, it is key to understand the visible and invisible digital footprint of your company, in order to know clearly what is under your control versus what is not under your control. The risk arising from the invisible digital footprint can be more severe than the one arising from the visible footprint. The reason is that if a critical asset to the business is compromised, and this is outside of your zone of control the impact can be destructive to the business. Therefore it is key to try hard to know the unknown, as well as the level of control your company has.

Put simply, it is important that business stakeholders and marketeers must not forget about the invisible footprint. The 2 cents advice is to try to involve IT security when in doubt about using a new third party or digital service/product. 

Ceeyu is a SaaS platform that can help assess the security of your vendors and other third parties. By using a platform to improve your third-party risk management process, your organization can easily and quickly identify areas of risk. This data will help improve the security of risky vendors, effectively increasing yours as well.

Contact us for a demo! [email protected]