How Companies Drop the Ball Owing to Lack of Teamwork & Systems
By Paul Engels
The most basic component of a company’s digital presence is their portfolio of domain names. It’s inconceivable that such an important asset would be allowed to expire by oversight. This error is seemingly egregious given that domain registrars (the good folks who sell domains to corporate users) invariably have an “auto-renew” setting. As blogger Lisa Vaas asks, “Who wouldn’t activate auto-renew on their corporate domain?”
Despite freely available procedures designed to prevent unintended domain expiry, they still happen – and quite often at large, sophisticated and technically astute organizations, such as Microsoft, Google, Marketo.com, and US telecom, Sorenson Communications, which incidentally was fined $3 million by the FCC for the consequences of failing to renew their domain.
OK. If “auto-renew” were the answer, this would be a pretty short article, ending right about here…Lisa Vaas further advises folks to familiarize themselves with the calendar reminder function of their smartphone or desktop, so as not to forget to renew a domain.. Would that it were so simple.
To all you corporate domain admins out there, by all means activate auto-renew. But there’s so much more to the story. The reality of domain administration is gnarly.
Complexity #1: Start with the fact that most large organizations don’t have one domain. They have hundreds or thousands. Bank America: 16,000. Rogers Communications: over 7,800. That’s a lot of calendar reminders!
Complexity #2: Many of these domains and subdomains such as campaign.brand.com are intended for limited lifespan use, such as short-term marketing campaigns. They’re not meant to be around for years and necessarily auto-renew. In fact, allowing too many of them to renew can create a virtual playground for hackers, phishers and parties who actively seek out dormant or inactive corporate domains for nefarious purposes.
Complexity #3: The domain registration ecosystem is rife with exploitable loopholes and points of failure. When Marketo temporarily lost their main domain, one of their customers found that he could easily renew the available domain, which he did as a Good Samaritan to help Marketo. Less caring individuals routinely hijack domains by multiple methods, some as easy as calling a registrar and falsely claiming to be an authorized representative of the domain owner.
Complexity #4: Many organizations spread their domains over multiple registrars. We’ve seen a few hundred domains spread over 12+ registrar services. Each registrar sends multiple email notices per domain per year. After a while all those emails start to sound like noise and become bothersome or ignored. A domain administrator finds themself having to separate the wheat from the chaff. (Don’t forget to check your SPAM folder…). Now push those domains across multiple DNS services, and you’ve got a messy setup. They are not at all uncommon, especially for companies engaged in M&A that inherit domains along with registrars and DNS.
Complexity #5: The universe was perfect until people showed up. Take any situation and add the human factor for the real fun to start. We ask scores of large enterprises, “Who owns domain management in your organization?” Shockingly, the answer from at least a third is: “We’re not sure.” That’s pretty remarkable considering that domains represent the digital brand and are often used to deliver critical services to customers. Marketing tends to request domains. Brand protection lawyers often manage the approval or admin function. The IT department sets them up and configures them based on business requests. A domain admin at the corporate office keeps spreadsheet records of the domains in use. (That’s right. Spreadsheets!) Despite each group knowing their respective function, overall accountability often falls through the cracks. Between the cracks is where “Murphy” lives and stuff happens.
Recent weeks have seen a spate of reported corporate security and oversight foibles, many of which were domain-related or domain-exacerbated. Equifax’s mishandled attempt to quell security fears at http://www.equifaxsecurity2017.com is a ghastly example. (Hackers launched www.securityequifax2017.com and Equifax actually sent customers there in error to get further phished and defrauded…)
We industry types love to shoot from the hip with our favorite panacea. The reality is that domains and the management thereof are a complicated business. While the auto-renew setting is certainly advisable, a more robust and capable solution for corporations is to employ systems to help manage their domains, provide intelligence, manage change and provide audit functions. Far too many companies simply do not. They’ve become used to people and spreadsheets. As the domain world complexity grows, we may be reading more about their mishaps soon.