Website security in large organisations: oversight is vital
Big organisations with fragmented domain name portfolios are at risk
Not long ago, a large Dutch organisation started proceedings under the Dispute Resolution Regulations for .nl Domain Names. The case centred on a website linked to a .nl domain name based on the organisation's brand name. The site had been launched without the brand owner's knowledge, and everything pointed to a phishing scam: it was a poor-quality site without SSL security, and visitors were asked to enter personal data.
Security rules disregarded
A couple of weeks later, it came to light that the site had been set up by one of the organisation's own staffers. Frustrated by the organisation's procedural constraints, he had built a website himself, registered a domain name and chosen a hosting firm. Apparently blissfully unaware that his initiative broke every security rule in the book for business websites.
A relatively extreme case, maybe. But it's by no means unusual for individual teams and departments in large organisations to do their own thing with promotional sites and domains. Efforts are often made to control proliferation by applying procedures, but that can sometimes backfire. If the procedures are too onerous, people will simply take an unregulated route.
Big organisations at risk
Against that background, big organisations are at particular risk. This spring, Elsevier magazine published a survey of hospitals' vulnerability to cyber-attacks. The conclusion was that the biggest hospitals are exposed to most risk, because they have so many sites. More than a thousand in some cases. It's often a legacy issue, reflecting the organisation's history of mergers, takeovers and name changes. Here at SIDN, we're often asked for advice on managing such situations. So we've come up with three golden rules:
Help people to give the right details when registering domain names Publish guidelines on your intranet explaining how domain names should be registered. Exactly how should the organisation's name be written? Who should be named as the admin-c? Whose e-mail address should be used for contact? Make the guidelines as comprehensive as possible. A lot of problems can be avoided by, for example, giving a Trade Register number with each registration. That greatly simplifies the task of linking a domain name, website or contract to a business and its authorised representative. Even after mergers.
Publish your security standards for websites It's inevitable that staff will sometimes ignore procedures, but you can't allow people to jeopardise the security of internet users and the reputation of the organisation. So make sure you tell people what security standards your sites must support. Internal security awareness will promote recognition that there's more to your procedures than bureaucratic formality.
Limit the number of distinct websites Maybe your organisation needs a thousand brand names, but that doesn't mean it needs a thousand matching websites. A redirect with an explanatory notice will usually suffice: "As of date X, we've changed our name to ABC". You may decide that a superseded domain name can be cancelled. If so, let it remain dormant for a while before cancelling, and make sure that everyone knows that the name is no longer used for sending business mail. Otherwise, scammers may pick up your cancelled domain name and use it to pose as your representatives.
What if you've lost track of your domains?
What the golden rules won't help with is getting to grip with domain management if your overview is already long gone. Fortunately, we offer two tools to help .nl registrants regain control of fragmented portfolios.
The Domain Name Portfolio Checker provides a snapshot of all the .nl domain names currently associated with your organisation.
The Domain Name Surveillance Service gives you details of your organisation's .nl domain names, coupled with continuous monitoring to flag up registrations based on your brand name and advice on which ones appear malicious.
Together, the two services put you back in control and make it easier to keep your website and domain name portfolios secure. If you'd like to know more, contact Pim Pastoors by calling +31 657 045 407 or mailing firstname.lastname@example.org.