(Third) Party Planning: Be careful who you invite!

June 5, 2019

From a customer’s point of view, your website’s digital experience is one of the most important investments you can make for them. They are your revenue stream, your fiercest critic and the reason you exist.

One great way you can improve your digital experience is by using third-party providers. Many of these providers will help you win more business, provide cool features, gather better data and much more. You need to consider the type of third-party your business needs that are going to improve your revenue conversion and whether that return justifies the investment and perhaps, most importantly, that implementing the new third-party doesn’t damage your well-earned reputation for an excellent user experience (if you have one!).

When we talk about helpful third-parties, they come in many forms. From Marketing, Advertising, Analytics, Application Performance Monitoring, Helper Libraries, Fonts, Image Libraries, Social, Customer Success Tools, AI, Big Data Collection, Video, Hosting, Payments and Content Delivery Networks to name but a few, all are very valuable to your business but the costs of implementing them can soon add up in more ways than one.

Are you being careful about who you invite to help your business win online?

Third-Party Performance

Every single third-party has a weight, a latency, a footprint on your website performance. Some are amazing, some are awful, some are a mixture of both and you MUST understand this. We have seen websites with over 80 third-party providers many of which are causing detrimental impacts for very little ROI compared to the impact they are having on the overall performance of the site and in turn the digital experience which has direct revenue impacts.

According to Neil Patel: 47% of internet users actually expect a web page to load in 2 seconds or less with 53% of people abandoning a website that takes longer than 3 seconds to load, so getting this right is paramount, therefore the size, speed, and location of third-party files are very important. Below are a few things to consider when thinking about third-party performance:

Ask for evidence of how the third-party is loaded on to your site: How many files, how big are they, where are they from and which other businesses use their product so you can monitor their usage.
Even small files could spend too much time connecting to a poor DNS so it’s not just how big the third-party javascript file is it’s how you connect to it too so perhaps pre-connecting and understanding how good your suppliers DNS is important. You could host their files if they are poor, however, this might leave patching gaps.
It is best practice to lazy load your third-parties, non-display critical third-party files loading below the fold (after the first meaningful paint to ensure this is under 1.5 seconds if possible). Because Javascript is parser blocking, DOM construction is paused when it executes so you can also use async or defer techniques.
Any third-party you load should be doing so on average in less than 200ms unless they have a very good reason for not doing so and that reason is accepted by your business.
Anything big should be left to the very end of your load process, for example, live chat tools find themselves at the back of the queue as they are very bulky due to the fact they interact heavily with the customer and give you great added benefits.
Consider how many third-parties you are loading in versus your CPU idle time. You want your page to be mostly idle by 4.7 seconds at the very most (Google define this as ‘Fast’), by definition, this leaves you space for up to 20 fast functional third-parties, any more and you risk damaging your digital experience.

For more details on techniques to ensure your third party loads fast: Google Developer Tools

Even racehorses are slow in the wrong conditions.

Third-Party Security

One of the world’s most potent hacking groups Magecart directly targets not only you but your third-parties to look for weaknesses in your supply chain, so having lots of third-parties would increase the likelihood of attack due to the increase in potential attack vectors.

An example of this was Adverline whose advertising retargeting scripts was directly compromised, then loaded on to numerous websites providing ticketing and flight booking services as well as self-hosted retail websites stealing customers payment details. 277 business were compromised due to a single hack which permeated out from a central location. Those businesses had excellent security but they were hacked via a vector they had little or no control over.

More often than not, most third-parties have excellent security records, they are strong businesses who have spent time and budget ensuring they are a very trustworthy source. However, many are new businesses or businesses who do not understand the risks. Yes, they have great products but they are an issue to your overall security and reputation so you need to understand how much of a risk they pose.

Ask your third-party providers what security and privacy policies they have and what is their response protocol to a data breach, including whether you are insured at their end if the worst were to happen.
Keep up to date with patching (this includes all your frontend Javascript files and if the third party does their own, it might be an idea to ask them their strategy).
Look at implementing Content Security Policies, however, these are still quite difficult to manage in fast-paced businesses, marketing will not be exactly delighted!
Monitor all the calls coming out of your website to suspicious untrusted destinations.
Ensure you have an appropriate response protocol if either you or your business are compromised by a third-party.

You know how strong your defences
are, but can you say the same for your third-parties?

In conclusion, why do you need to be careful when inviting third-party providers onto your website?

They may have detrimental performance impacts which actually reverse the ROI they were supposed to bring, so understanding how you may be impacted is fundamental.
They may be a potential security risk, which, if exploited could damage your reputation so ensure you put in practical monitoring measurements and response protocols.
They might be a GDPR or privacy issue dependent on the data they collect but that’s another blog for another day.
They can change their files without you knowing which means they are unpredictable and/or could have unintended consequences which are difficult to manage so you need to monitor this over time.

With RapidSpike you can interrogate your third-parties and overall performance using our Intelligent Page Monitors (IPMs) and continuous google lighthouse audits which will help you improve the performance of your website, and in turn, your digital experience.

RapidSpike can also be used to monitor for data being sent to untrusted destinations using our Data Breach Monitoring solution, plus you can also understand your javascript patching, deprecated APIs and other important client-side security issues using Insights.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.