Unattended corporate websites cause headaches

Forgotten online resources can be used for extortion or phishing

Do you know who is responsible for domain registration in your company? And can you be sure no one else has ever registered a domain on behalf of your business? Employees of large corporations can’t always answer those questions definitively. Even people in information security are not always watching for those details. That leads to a certain level of chaos, and it can cause problems when a domain registration expires and someone takes advantage.

Large businesses in particular should take notice; they usually have more than one department that needs to register new domains. That’s no exaggeration — we’ve seen dozens of cases like these. A PR team needs a website for a charity project; marketing needs a landing page for a new product launch; even R&D sometimes needs a page for a conference or hackathon.

It’s not hard to guess what happens when the event is over, the product successfully launched, the campaign complete: Everyone forgets about the sites. Sometimes, their lead-generation mechanisms even remain in place to draw casual visitors. And so they remain until the registration expires and they go back on the market.

In theory, the people who register a site are responsible for it, but those one-off chores get eclipsed by more urgent tasks, not to mention the daily grind. Well before a registration expires, people might change positions or quit the job. An abandoned site might simply not seem like a pressing matter.

What can go wrong?

An abandoned website is actually rife with possibility. First, people known as cybersquatters actively look for expired domain names. If they register such a domain name, they can do anything they want with a site that is affiliated with your company. In the past, offering the site name back to the company —for a premium — was common. These days, they are far more likely to try to extort money by putting content on the site that can harm your business’s reputation, or sell the domain name on the Darknet to phishers.

Of course, a business can prove its right to a domain name to the registrar or in court if need be. But that takes time, and meanwhile, the company’s reputation suffers.

Another possible problem involves the notorious GDPR (and possible similar changes in local laws). If your abandoned marketing website is still online and continuing to collect information on the occasional customer, it had better be compliant with modern laws.

How to stay out of trouble

To start with, assign someone in IT or security responsibility for domain registration. That person needs to keep records of all online assets and keep an eye on expiration dates. Other employees must not register anything without letting him or her know. If you employ a third-party contractor to develop and support your website, do not delegate site registration to them.

It is also worth using automatic domain extension, if your registrar allows it.

Delete information from outdated websites. Even if the effective period of your offer it is clearly noted (in a small font at the bottom of the page), there’s no reason to leave it around to disappoint a potential customer.