Hiring a web host? FTC has security tips for small businesses

Engage, connect, protect was the theme of a series of Small Business Security Roundtables the FTC sponsored last summer. We listened to businesses talk about the challenges they face in securing sensitive information and fending off cyber threats. We also heard that they want concrete advice from the FTC. For example, how can a small company – especially one that may not have the in-house expertise to host its own website – get down to business while also addressing these concerns?

In search of a solution, many businesses turn to web hosting firms to set up their website and email systems. In a just-published Staff Perspective, Do Web Hosts Protect Their Small Business Customers with Secure Hosting and Anti-Phishing Technologies?, the FTC’s Office of Technology Research & Investigation (OTech) looked at 11 web hosts that market their services to small businesses. (The Staff Perspective explains OTech’s methodology.) OTech specifically reviewed: 1) whether the hosting companies offer SSL/TLS, technologies that help secure communications between a website and its visitors; and 2) whether the companies supported email authentication technologies.

OTech’s findings are the basis for some new advice for small businesses.

Let’s turn first to SSL/TLS. It’s a protocol that offers visitors some assurance that the site they’re on is legitimate and not an imposter. It also establishes an encrypted connection between a user’s computer and the website, thereby protecting credit card numbers, passwords, and other sensitive data.

OTech found that 8 out of 11 of the web hosts they looked at integrate SSL/TLS into the setup of small business clients’ websites. Some include it in all plans and others offer it as a paid add-on. The remaining three don’t integrate it into the setup process, but included clear instructions and offered help. So the good news is that it’s generally available to small business clients. That translates to a safer experience for customers visiting those businesses’ sites.

But OTech’s findings were mixed when it came to whether those same hosting companies supported email authentication technologies. Why is email authentication important? It protects domains from being used in phishing scams. Domain level authentication like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) verifies the identity of the domain an email claims to come from. In other words, is an email from @example.com really coming from that server? What’s more, a complementary method called Domain Message Authentication Reporting (DMARC) can instruct servers on how to handle unauthenticated messages – for example, put them in a junk folder or block them altogether.

Of the web hosts OTech studied, only 3 out of 11 implement SPF or DKIM by default. The remaining 8 don’t integrate SPF or DKIM set-up into the email account creation process. In fact, they don’t even mention SPF or DKIM. Otech then took a deeper dive and determined that it was technically feasible for sophisticated business customers to implement SPF or DKIM at the 7 web hosts that don’t integrate SPF or DKIM by default. Few small businesses though are likely to know that these technologies exist – let alone how to implement them.

Turning to DMARC, OTech determined that hosting companies provide even less support. None of the companies configures DMARC by default. Nor do they offer clients a simple way to configure DMARC during the email setup process. Echoing OTech’s SPF/DKIM findings, 8 out of 11 would be compatible with clients implementing DMARC on their own. But how likely is it that a small business that turns to a web hosting company for the basics would have the expertise to know that? Isn’t that the kind of readily available security that small businesses expect their web hosting companies to provide?

Returning to the Engage, connect, protect theme of our Small Business Security Roundtables, what concrete advice is the FTC offering?

• For small business owners.  When hiring a web host, small businesses should pay close attention to the security features of the available plans. Plans with SSL/TLS and strong email authenticating technologies can better protect your business and your customers.
• For web hosting companies.  Web hosts should continue to help small businesses implement SSL/TLS. Given the significant security benefits, hosts should consider whether to include protective technology by default. Web hosting companies that cater to small businesses can play a big role in increasing the use of SPF, DKIM, and DMARC by automatically configuring those technologies for their clients. They’re free and the implementation cost for web hosts is small. And what web hosting company wouldn’t want to truthfully tout the benefits of its built-in security features.
• For sites that review or rank web hosting services.  Many rating sites rank the best web hosts for small businesses. They compare companies based on storage, type of servers, customer support, etc. Important criteria, for sure, but how about comparing the availability of SSL/TLS, email authentication technologies, and other security features? Small businesses are telling the FTC that security matters to them. Is it time to include those criteria in the ratings?