With companies constantly seeking to cut costs, many look at the wealth of web domains they own and decide to conduct a “spring cleaning” of sorts by scaling back on their strategic investments in them.
There are nearly 360 million domain name registrations, after all. In certain cases, these domain names are not in use anymore. A brand may, for example, register a name to promote a particular, one-time event like a charity drive, and the unnecessary domain is collecting the equivalent of cyber dust. Other obsolete domains exist because they were intended for since-retired products. Or, a company might have started out by creating all of the names it could think of in hopes of increasing online exposure or to protect their brand/IP in generic top-level domains (gTLDs) and different countries, and now, it doesn’t see value in keeping the vast majority of them.
So, as with empty office spaces and workstations, a business will sometimes try to reduce expenses through a “domain downsizing” initiative. But that would be a mistake.
5 Ways to Protect Your Domains
- Register all available high-risk domain names.
- Emphasize the importance of domain names.
- Get proactive with monitoring and defense.
- Conduct a detailed domain forensic analysis.
- Extend zero trust (ZT).
Don’t Skimp on Domain Security
Every domain you own creates a digital fingerprint for your business. Even if it is no longer in use, its association with your company remains a matter of public record in perpetuity. By fingerprint, I mean that if the domain had an MX record, which allows email on a domain name, then anyone can see this and, once reregistered, can set it up again. Essentially, an abandoned domain is out there for anyone to grab — including cyber criminals, who will weaponize it to hatch phishing/fraud schemes through online brand impersonations. This results in significant costs for corporate victims in the form of revenue loss, reputational damage and potential lawsuits.
In addition, these criminals can exploit a discarded domain to target your own company’s employees as well via phishing techniques. Bad actors reregister the discarded domains that companies let lapse, and they’re constantly on the lookout for available, branded domains they can weaponize. They could send a legitimate-looking but bogus email to a manager, for instance, that says “Hey, have you seen this domain? Will you check it out to see if it’s still associated with us and active?” The domain itself, of course, will now lead to a malware exposure.
The situation is quite common, with attackers targeting the Domain Name System (DNS) in one-third of breaches. In our own research, we found that 72 percent of Global 2000 companies have implemented less than one-half of necessary security measures for their domains. Lax domain security across companies around the world only encourages the bad guys to stake out your domains, waiting to snatch vacated ones.
Ironically, despite spending millions of dollars on cybersecurity, a brand may try to cut relative pennies by trying to downsize its domain portfolio. We’ve seen companies implement this strategy and then deeply regret it. They realize too late that they’ve exposed themselves and now spend a great deal of time and resources working through legal enforcement and recovering the names. In other words, they end up losing much more than they saved.
How to Protect Your Domains
So, instead of letting domains lapse, you should take steps to better protect them. To do so, we recommend the following best practices.
Register All Available High-Risk Domain Names
Make sure you have registered all available high-risk domain names. Many domain extensions aren’t used frequently for commercial purposes, but fraudsters will use them. For example, we see a lot of fraud takedowns on extensions such as .xyz. Make sure you look beyond country extensions (.uk) and generic extensions such as .com.
Emphasize the Importance of Domain Names
Ensure the security team understands the importance of domain names. Simply put, a domain is an external gateway into your organization. Many companies now involve cybersecurity teams in domain name discussions. The importance of domain security needs to be understood up to the board level, however, so the budgets are protected if not increased. If a domain name is lapsed or reregistered, this can cause huge financial impacts to organizations.
Get Proactive With Monitoring and Defense
You can’t register every variation of your brand. Still, by gaining constant visibility of domain activity for brand abuse, online counterfeiting, infringements, etc., you will know whether a third party has registered your brand/company name or if malicious actors are compromising your own domains for phishing or other fraudulent purposes.
Conduct a Detailed Domain Forensic Analysis
If you believe you have some redundant domain names, then conduct a detailed domain forensic analysis. You should obtain and assess your domains’ email records, traffic data and their overall importance to your operations. This will enable you to develop an understanding of each domain’s significance/criticality to your business and their risk potential.
Extend Zero Trust (ZT)
Organizations across-the-board are adopting “never trust/always verify” zero trust user authorization policies. But they should extend these policies beyond networks, systems, applications and devices to their company domain ecosystem.
Domains Are Your First Line of Defense
Whether active or not, your domains are connected to every part of your digital corporate persona — your email, your website, your virtual private network (VPN), and more. In abandoning them, you lose control of an asset that cyber criminals are all too eager to exploit.
That’s why it is essential to not only keep your domains but to protect them rigorously. With this, you’ll find yourself avoiding possibly millions of dollars in losses for the indefinite future, as opposed to saving a few pennies today.
