Skip to main content

Your website is one of your business’s most important sales and marketing tools. It’s your brand in a nutshell, your virtual storefront, and a repository for data – yours and your customers’. So, when you go looking for a web host – the company that’ll store your site on its servers – security is non-negotiable. Today’s settlement with GoDaddy, one of the largest web hosting companies in the world, shows what can happen when security slips. Read on for some details about the case, and some tips to think about when you’re choosing a host for your business’s site.

The FTC’s case against GoDaddy

GoDaddy serves as web host for approximately five million customers. To host that much data, you’d expect a company to have a comprehensive, complex security program with scrupulous threat monitoring. And GoDaddy told its customers it did, highlighting its commitment to security, and advertising its services as “Ridiculously fast. Seriously secure.” GoDaddy also told people it complied with international security principles. The problem? According to the complaint, GoDaddy’s actual practices didn’t come close. In fact, the complaint says, the company failed to implement basic controls. For example, GoDaddy didn’t inventory its assets, manage software updates, use multifactor authentication, or appropriately monitor for security threats. And, as a result, according to the complaint, GoDaddy experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data.

To resolve the complaint, GoDaddy agreed to better protect its hosting services by establishing, implementing, and documenting a comprehensive information security program. GoDaddy also agreed to undergo information security assessments by an independent third-party evaluator. And, importantly, GoDaddy promised to tell the truth about its services’ security and the company’s participation in third-party privacy or security programs.

What can businesses do?

The harm the FTC says GoDaddy caused is hard to avoid, because people had no way of knowing GoDaddy wasn’t doing its part to keep their data safe. But, if you’re looking for a web host, there are a few key things to ask about and do to protect yourself and your business.

  • Ask for information on security practices and breaches. Ask your web host the hard questions, and make sure you get the answers you need.
    • What security practices and technologies will you use to keep my website secure?
    • Where do you store my site’s data?
    • Are there multifactor authentication (MFA) options available I can use so other people can’t access or change my website with only a username and password?
    • Who do I contact if I notice suspicious activity?
  • Check out the FTC’s cybersecurity resources. The FTC’s Cybersecurity for Small Businesses page has lots of information on how to protect your business. That includes training modules for you and your employees.
  • Report issues. If you see scams or cyberthreats in the marketplace, let us know about them at ReportFraud.ftc.gov. We want to hear from you.

Tags:

More from the Business Blog

Get Business Blog updates

 
Return to top