The National Cyber Security Centre (NCSC) has issued new guidance to help brands address the rising threat of malvertising. As part of its recommendations, the UK-based agency calls on businesses to require their digital advertising partners to adopt cybersecurity best practices and comply with industry-recognized standards. By ensuring their partners implement defense-in-depth measures, such as securing ad servers and maintaining the integrity of ad-related code, businesses can significantly reduce the risk of malvertising. This approach also aligns with the NCSC’s principles of “secure by design,” creating multiple layers of security to protect end-users.
A key element of the NCSC’s advice is the importance of robust “know your customer” (KYC) checks. While these may introduce additional friction during onboarding, KYC processes are essential for screening out bad actors who might otherwise exploit digital ad services. The NCSC stresses that, alongside KYC, advertisers should also ensure that their ad partners are using data from reputable, lawfully processed sources, in line with GDPR regulations. Additionally, advertisers should consider buying inventory-only channels that are certified for meeting established standards.
Another major recommendation from the NCSC is the use of several transparency-boosting tools, such as ads.txt, buyers.json, and DemandChain Object. These initiatives provide visibility into which entities are authorized to sell ad inventory and the details of the bidding process. By enhancing transparency in the advertising supply chain, these tools help prevent the exploitation of legitimate ad services for malicious purposes. Moreover, the NCSC emphasizes the need for digital advertising partners to maintain reliable reporting mechanisms and to share threat intelligence, which can help all parties respond more swiftly to emerging threats.
The NCSC’s research highlights that while less than 1% of ads globally were classified as a security violation in 2023, this still represents nearly three billion ad views, with the UK seeing a significantly higher rate of malvertising than the global average. In response, the NCSC calls on the entire advertising ecosystem—including platforms, advertisers, and publishers—to work together to eliminate malicious actors from the space. By adopting a defense-in-depth approach, stakeholders can collectively reduce the likelihood of cyberattacks and safeguard users from harmful advertising practices.
Reference: