Since the first top-level domains (TLDs) were introduced in 1980s, there have been notable developments in the domain landscape. From the first .com domain, the privatisation of the domain name system (DNS) and creation of Internet Corporation of Assigned Names and Numbers (ICANN), to the release of new generic TLDs, domains have evolved beyond their initial, functional purpose, bringing the challenge of security.
Domains as IP assets
Domains today represent organisations’ digital storefronts, and are vital to any brand’s online identity. The growing influence and importance of domains in organisations’ e-commerce strategies has led to domains being viewed as intellectual property (IP) assets. According to the World Intellectual Property Organisation (WIPO), “IP assets are part of the non-physical property of a business. They are legally protected … can be independently identified, are transferrable and have an economic lifespan”. Domains not only fulfil WIPO’s criteria of an IP asset, but a recent Clarivate global survey of IT, legal and marketing senior decision makers’ views on domains’ role in IP and business revealed that 78% view domains as an important part of their IP portfolio.
Domains’ prominence as IP assets is driving increasing involvement of legal departments in domain management. For instance, legal expertise is often called upon when analysing a potential domain name purchase, with 49% using case law to support their analysis, according to Darts-ip data.
The security challenge in domain management
While legal teams have a role in domain management, it remains primarily the IT team’s responsibility. In reality, domains are not just IP assets, they are also IT assets that sit near the centre of organisations’ security strategy. With a third of organisations (33%) indicating they experienced a cyber attack targeted at their domains in 2020, up from 23% in 2019 according to the same Clarivate survey, it comes as no surprise that security is a key consideration in domain management.
In fact, more than half (56%) of organisations see security as the biggest challenge when managing their domains. Cyber attacks continue to rise, as well as the number and sophistication of attack vectors, with malware, web-based attacks and phishing the top threats, according to the European Union Agency for Cybersecurity (ENISA). If domain names are not secured and properly managed, there are a number of different ways that organisations could fall prey to cyber criminals. With brand reputation, customer trust and revenue at stake, domain security needs to be a serious consideration, alongside other elements of cyber security.
The key drivers of digital transformation in retail
Impact of increasing volume and diversity of domain portfolios
Domain management used to simply be about selecting and registering a domain that reflected the organisation’s name, then protecting it. This might still be the case for smaller organisations, but it has become far more complex for larger organisations.
For larger organisations operating globally, domain strategies can range from registering and managing sub-domains, name variations and domains for campaigns, to regional domains and defensive registrations. The size of organisations’ domain portfolios is growing. The number of organisations owning 250 to 500 domains almost doubled from 9% in 2019 to 17% in 2020. Similarly, the volume of organisations owning 501 to 1,000 domains, grew to 14% in 2020 compared to 8% in 2019.
These burgeoning portfolios typically contain a proportion of inactive domains, purchased for defensive or competitive reasons. Organisations infrequently use these defensive domains, but may redirect them to their main websites. Whether used or un-used, defensive domain names could present security risks such as domain name server compromise and email spoofing if incorrectly configured and not securely managed.
Another aspect of global domain portfolio management that may be overlooked is the need to understand each country’s domain eligibility and requirement. For instance, .de and .ca have different rules on domain eligibility and compliance. Partnering with a domain name registrar with both global reach and local knowledge is crucial to ensuring an organisation’s domain names are managed securely and comply with the respective local country rules.
Securing domains
Common approaches to securing domains include two-factor authentication, single sign-on, name server monitoring and registry locking.
Registry locking, in particular, has become increasingly popular, with 39% of survey respondents in 2020 using this feature, compared to 28% in 2019. Offered primarily by corporate domain name registrars, registry lock freezes all domain transactions at the registry level until the correct high-security protocol is followed as specified by both registry and registrar. In combination with additional registrar-level locking where a specific protocol must be followed between client and registrar means that there is an extra layer of security to guard against cyber attacks such as erroneous nameserver updates, hijackings and social engineering attacks. Registry locking is becoming an increasingly valuable security feature and an ever-growing number of registries continue to introduce this feature.
High-profile domain name server compromise incidents have also served to reinforce the importance of securing domain name servers. The best corporate registrars monitor and test constantly for security threats and code vulnerabilities both within the domain management portal, and at the various domain registries.
What to know about user authentication and cyber security
Partnering for domain security peace of mind
Today’s increasingly digital society and economy offers organisations greater opportunities to connect with and do business with their target audiences. However, there are increased risks to companies ranging from cyber attacks, IP infringement and fraud that could lead to lost revenue, loss of brand reputation and erosion of customer trust.
Rather than relying exclusively on internal resources, organisations should consider partnering with a domain management provider that is equipped with the technology, expertise and support to help them deal with the complexity of domain management and security.