There are more than 370 million registered domain names on the Internet. Millions go unused. And some haven’t been updated in years, largely because the companies that registered them have forgotten about them.
Companies would never forget where their offices are located, yet they routinely lose track of their “online real estate.” And that’s a serious threat to the security and viability of their operations.
Firms often own thousands of domain names. That makes good business sense: Marketing can use unique landing pages for different promotional efforts or campaigns. Company lawyers may even buy up similar—but incorrect—spellings of the flagship domain to avert fake product lines, unwanted complaints, or phishing attacks.
But it’s surprisingly easy to lose track of all those domain names—or leave them unsecured. Employees may register domains and forget to renew the registrations, for example. Or they may register domain names on their own and then leave the company.
Such practices pose enormous risks to companies’ reputations and bottom lines.
Domain Name Security Risks
When companies don’t lock their domains, those domains can be subject to automatic updates from unknown parties, including hackers. Just 17% of the world’s 2,000 largest public companies lock their domains with the highest level of protection offered—and 14% have no protection at all.
Other domain name security issues abound: Only half of all domains use DMARC, a system that prevents email spoofing. Just 60% of domains have a Secure Sockets Layer (SSL), a digital certificate that prevents the theft of sensitive information. Only 3.5% of the 2,000 largest companies use Domain Name System Security Extensions, which prevent common hacker tactics—e.g., “cache-poisoning” or “man in the middle” attacks.
Keeping good track of domain registrations can also help companies comply with privacy laws. Many countries and California require “cookie banners” that alert visitors that their data will be collected. A company can risk huge fines if an errant domain that everyone forgot existed is caught “stealing” user data without the requisite cookie notification.
Incorrectly registered domains can come back to haunt you. Imagine an employee registers a domain for his company in his own name, then he gets fired or leaves on bad terms. He could use that domain to bash his former employer and rally potential customers to his cause.
How to Maintain Domain Name Security
There are several simple ways to manage your domain portfolios to guard against domain name security headaches.
First and foremost, create a policy for new domain name registrations that dictates who can register domain names, when registration requests can be submitted, how and where to submit requests, and what domain names should be registered. Involve the IT, brand, marketing, legal, and other departments that interact with domains in crafting the policy.
A strong, clearly written domain name policy ensures that every employee understands how to register a new domain correctly and securely. Once finalized, the policy should be widely distributed and easily accessible to all employees.
You can take other concrete steps, such as creating “brand tiers” to better manage domain name requests, and ranking the requests based on criteria such as shelf life and geographic reach. A universal domain name request form can assist employees who process those requests to prioritize them.
An annual review of domain names is a good idea, too. The marketing department can do an audit to make sure all domains are still in use. IT staffers can investigate whether there are any server lapses.
It’s also crucial that registered domains adhere to proper security protocols. For example, all domains should be locked at least with a status code of “clientTransferProhibited” that will block the transfer of domains to new registrants unless a user provides an authorization code. Locked statuses prevent fraud and automated updates.
In addition, ensure that your domain registrations auto-renew to avoid lapses. Relying upon credit cards to renew registration is particularly risky because the credit card on file could expire.
You should regularly review your domain names for common errors, too. For example, make sure domain names lead to the same location whether or not there is a “www” before the name.
HTTP statuses are also worth checking. Those are notes from the server about a request to bring up a certain page. The statuses to look for are 200 “OK,” which indicates a successful interaction between the browser and server, and 301 “Moved Permanently,” which lets users know a page’s new location.
Domain management software can make it easier to implement the best-practices noted in this article, and in some cases it can cut the amount of time that staffers spend on domain compliance by half. Standard domain management software enables users to collate dozens of domain name spreadsheets into one central location, as well as check the security expiration status and key performance indicators for every domain name registered to a company.
If you ignore your domain portfolios and domain name security, you do so at your own peril. Sound policies and competent domain managers can save you considerable time, money, and stress.