[TUTORIAL] Why you want to use GTM on the web

You want to measure the behavior of your customers and move your business. So you have Google Analytics, Hotjar and probably a few other measurement codes like Facebook (Meta) Pixel installed on your website. You can manage them all in one tool. We do this in Google Tag Manager and teach it to our clients. Learn what to look out for when using it and whether it is safe for your website as well.

‍

You need to manage all the measurement codes deployed to your site efficiently and securely. There are several tools that will help you with this: Google Tag Manager, Matomo, Segment.

Alternatively, you can insert the measurement codes directly into the page and hope that you will be familiar with them in a few years.

We do not recommend this option.

It takes up time, energy and money. Unnecessarily.

We at House recommend our clients and set measurements in Google Tag Manager. After all, if you follow the basic rules, it is a safe and reliable tool. Let's take a look at the biggest risks you face when implementing Google Tag Manager and how to prevent them.

‍

Why it makes sense to have a Google Tag Manager on the web

‍

1. Saves time across the team

This tool will save time for both your marketing team and developers.

→ Thanks to it, marketers can deploy measurement codes partially on their own.

→ Often overloaded developers do not need to look for capacity to manage measurements.

Codes for a large number of platforms will be used by the administrator from a ready-made template in Google Tag Manager. So you just need to know what you want to measureYou can pick up the rest in the gallery.
And if you don't choose from a template, you paste your own HTML tag and place code in it. So templates are the easiest way, but at the same time GTM has other options.

‍

2. Simplifies code maintenance

The advantage is also clarity in the maintenance of marketing and analytical codes. Because you have them all in one place and whenever you suspend, remove them from the site, modify or supplement them to measure other events or customer behavior

‍

3. Measurement changes are more leisurely with it

Code change is also seamless — Google Tag Manager's Debug Mode enables new code functionality easy and quick to test. In addition, all previous versions of measurement codes remain stored in GTM. So if the current version doesn't work for you and you want to go back to some of the previous ones, you just have to publish it.

‍

Security gaps when using Google Tag Manager

Google Tag Manager itself is secure. However, as with many other tools
There are also possible risks from GTM content itself. For the overall safety of your website, it is crucial:

• what scripts do you put in Google Tag Manager
• to whom you give the rights to publish the deployed measurement codes
• and to what extent you have control over permissions.

So what are the biggest risks associated with using Google Tag Manager?

‍

Potential mistakes of a marketer or analyst

One of the causes that can negatively affect the functioning of the site is Overlooking the problem by the administrator Google Tag Manager. For example, if your marketer does not understand scripts, he will easily miss an error when adding code, alerting him to problems.

Of course, even a more experienced GTM user can make the mistake. For example, when deploying a custom script, the analyst does not sufficiently test its functionality and does not come up with an error that slows down the entire site.

The risk of human error is always there. However, the more experience a user has with Google Tag Manager and measurement scripts, the more likely they will not encounter similar problems.

‍

Location of malicious script

With the help of GTM, you can insert scripts from different providers into your website, both by using ready-made templates and by creating your own HTML tags

Some providers are trustworthy and some less so.

And if you put scripts from dubious sites on the site, you are kidding yourself for trouble.

Example:
In practice, we came across a case when a client tested an unverified tool. However, the operator canceled it over time and did not extend the ownership of the domain any further. The free domain was then bought by a malicious attacker and placed advertising banners on the client's website for Chinese products.

Of course, you can cause similar problems without Google Tag Manager
— you just place the script directly in the HTML page. However, from our experience, similar problems are more often related to dubious marketing tools, which are most often placed precisely through GTM.

‍

Targeted attack on the web

People with high privileges in GTM can make a large number of edits to the site. The problem arises when High rights are obtained by someone unlawfully. This can happen in two ways: 1) you share the account with it, 2) it attacks a vulnerable account of an authorized user.

What then can such a mischievous miscreant do to your site? Most often one
of these problems:

• inserts elements that do not belong there: a video or image that may harm you,
• deletes some elements: you definitely want such a button for “Complete Order” on the site,
• redirects your site to a competitor: in our case it would need to be on the web other important genus, but the result is the same as for the e-shop
  — potential clients do not find us and do not purchase our goods/services,
• reads the cookies of your users: That doesn't sound so tragic, does it? However, if your programmers do not have secure cookies, an attacker can reach all the way to the site administration with all the permissions. And maybe delete the content of the site.

Are you still calm?

What?

Well done, read on.

‍

How to reduce security risks to a minimum

By following a few simple rules, you reduce risks to a minimum and reap the benefits that Google Tag Manager brings to its users.

We have summarized the safety rules of using GTM in 4 points.

‍

1. Assign appropriate roles and permissions

At the account level, there are two types of permissions — administrator and user. The administrator can grant and remove permissions to individual users, the user can then make adjustments to the GTM settings.

From a security point of view, the key action is “publishing” — that is, the action in which changes in GTM are displayed to the users of the site.

• Only give the administrator role and the right to publish to authenticated users.
• All other users must have a “user” role and permission to edit or approve changes (but never for publications).

With this setup, users can make all sorts of adjustments in GTM. But before they appear on the site, they always go through an administrator who checks them and only then publishes them.

Events: In the administration of GTM check who has access to it and what type of permissions they have.

‍

2. Set up two-step verification

Logging in with just a username and password is not secure.

Never and nowhere.

To e-mail, to social networks, to a bank account. And not even into Google Tag Manager.

We recommend to all our clients to turn on the so-called two-step verification. He's going
additional identity verification — for example, by sending a code such as SMS, authentication apps on your phone, some platforms and apps allow you to enter a security key or confirm a prompt on another device.

GTM uses sms, authentication app and phone prompts, and you can choose which option is most convenient for you. In addition, Google has its AuthenticatorTherefore, it is recommended to use just that one. Works on Android in iOSU and you can use it directly to log in to Gmail, Facebook, domain administration or hosting and other places.

Two-step verification should be the absolute standard for signing in to all security-conscious services.

Action: Check you have two-step login turned on to Google. If not, turn it on immediately.

In the settings of the GTM workspace, where the measurement code is located (in the so-called container), we also recommend requiring two-step verification “for certain operations”. This will insure you from potentially risky actions, such as changing user permissions or editing JavaScript tags and HTML tags.

‍

‍

3. Use only templates and scripts from verified providers

If you deploy to your website through GTM, for example, Google Analytics,
From the template gallery, select only those created directly by Google, or choose other authors that you really think are trustworthy.

In the same way, choose templates for brands of marketing or affiliate platforms or create your own HTML tags. Official platform templates tend to be verified, secure, and by using them you avoid the risk of introducing a problematic script into the site.

‍

‍

Action: Stroll in GTM all brands on the web. Think about whether the brand is trustworthy and whether you are still using it. If not, remove it.

‍

4. Use server-side Google Tag Manager

If, in addition to the security of managing the measurement codes, you also care about the security of the transfer of personal data of your website users, consider implementing server-side Google Tag Manager.

Among other advantages, server-side GTM allows you to decide on the data provided to third parties only by you. If you do not want to send some data to Google Analytics (such as IP addresses), server-side measurement will ensure that nothing like this will happen.

Proper server-side measurement requires knowledge, time of analysts and programmers
and, of course, the cost of operation. Therefore, we recommend addressing it especially when you need security at the highest possible level — this is necessary for banks and similar institutions, for example.

The advantages and disadvantages of server-side GTM are described in the article What is server-side measurement. Read on to see if it makes sense to you and when it doesn't pay off.

‍

A few steps will take your GTM security to a pro level

The described security rules are not a 100% guarantee that no one will ever hack into the site or the tools you use. Unfortunately, we cannot guarantee this in the online world.

However, if you are using Google Tag Manager behave prudently, You only grant permission to those who are called (and competent) people, you take advantage templates
and scripts from verified sources and you will undertake another steps to secure personal data of your users, you don't have to worry about using Google Tag Manager.

On the contrary, it will make a lot of work easier for you.

‍

>> Help us increase security on the Internet and share this article. <<

‍

‍