Website security in large organisations: oversight is vital

Not long ago, a large Dutch organisation started proceedings under the Dispute Resolution Regulations for .nl Domain Names. The case centred on a website linked to a .nl domain name based on the organisation's brand name. The site had been launched without the brand owner's knowledge, and everything pointed to a phishing scam: it was a poor-quality site without SSL security, and visitors were asked to enter personal data.

Security rules disregarded

A couple of weeks later, it came to light that the site had been set up by one of the organisation's own staffers. Frustrated by the organisation's procedural constraints, he had built a website himself, registered a domain name and chosen a hosting firm. Apparently blissfully unaware that his initiative broke every security rule in the book for business websites.

Don't overcomplicate

A relatively extreme case, maybe. But it's by no means unusual for individual teams and departments in large organisations to do their own thing with promotional sites and domains. Efforts are often made to control proliferation by applying procedures, but that can sometimes backfire. If the procedures are too onerous, people will simply take an unregulated route.

Big organisations at risk

Against that background, big organisations are at particular risk. This spring, Elsevier magazine published a survey of hospitals' vulnerability to cyber-attacks. The conclusion was that the biggest hospitals are exposed to most risk, because they have so many sites. More than a thousand in some cases. It's often a legacy issue, reflecting the organisation's history of mergers, takeovers and name changes. Here at SIDN, we're often asked for advice on managing such situations. So we've come up with three golden rules:

  1. Help people to give the right details when registering domain names Publish guidelines on your intranet explaining how domain names should be registered. Exactly how should the organisation's name be written? Who should be named as the admin-c? Whose e-mail address should be used for contact? Make the guidelines as comprehensive as possible. A lot of problems can be avoided by, for example, giving a Trade Register number with each registration. That greatly simplifies the task of linking a domain name, website or contract to a business and its authorised representative. Even after mergers.

  2. Publish your security standards for websites It's inevitable that staff will sometimes ignore procedures, but you can't allow people to jeopardise the security of internet users and the reputation of the organisation. So make sure you tell people what security standards your sites must support. Internal security awareness will promote recognition that there's more to your procedures than bureaucratic formality.

  3. Limit the number of distinct websites Maybe your organisation needs a thousand brand names, but that doesn't mean it needs a thousand matching websites. A redirect with an explanatory notice will usually suffice: "As of date X, we've changed our name to ABC". You may decide that a superseded domain name can be cancelled. If so, let it remain dormant for a while before cancelling, and make sure that everyone knows that the name is no longer used for sending business mail. Otherwise, scammers may pick up your cancelled domain name and use it to pose as your representatives.

What if you've lost track of your domains?

What the golden rules won't help with is getting to grip with domain management if your overview is already long gone. Fortunately, we offer two tools to help .nl registrants regain control of fragmented portfolios.

The Domain Name Portfolio Checker provides a snapshot of all the .nl domain names currently associated with your organisation.

The Domain Name Surveillance Service gives you details of your organisation's .nl domain names, coupled with continuous monitoring to flag up registrations based on your brand name and advice on which ones appear malicious.

Together, the two services put you back in control and make it easier to keep your website and domain name portfolios secure. If you'd like to know more, contact Pim Pastoors by calling +31 657 045 407 or mailing pim.pastoors@sidn.nl.

Michiel_Hennekes

Michiel Henneke

Marketing manager

+31 26 352 55 00

marketing@sidn.nl

  • Thursday 29 November 2018

    SIDN Labs

    DNS Privacy: DNS innovations to protect your privacy

    Thumb-hands-above-laptop-with-virtual-padlock

    And the controversy surrounding DNS over HTTPS (DoH)

    Read more
  • Wednesday 25 April 2018

    DNSSEC

    Signing of government domains: rapid progress continues

    Thumb+DNSSEC+news

    In the Netherlands, 80% of government websites are now signed

    Read more
  • Tuesday 30 October 2018

    Internet security

    Privacy Portal now open to assist registrars

    Thumb-Europe-GDPR

    A single tool for all your privacy management tasks

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.