Your website is the online face of your business. Some companies have the in-house capability to manage their web presence. Others hire a web host to handle it for them. When launching a new business or upgrading their site, savvy business owners comparison shop for web hosting services. At the top of your shopping list should be the security features built into what you’re buying.
In our meetings with small business owners across the country, you asked for more advice on selecting a security-conscious web host. As part of our cybersecurity initiative for small business, the FTC has suggestions about what to look for and what to ask when hiring a web host.
WHAT TO LOOK FOR
Transport Layer Security (TLS). The service you choose should include TLS, which will help protect your customers’ privacy. TLS helps make sure people looking for your business online reach your real website when they type your URL into the address bar. When TLS is up and running on your site, your URL will begin with https. TLS also helps make sure the information sent to your site is encrypted – an important feature if you ask customers for sensitive data like passwords or credit card numbers.
Email authentication. Some web host providers let you set up your company’s business email using your domain name. Assuming your domain is yourbusiness.com, that means your email might be yourname[at]yourbusiness.com. Without email authentication, scammers can send emails that look like they’re from your company. A key defense against fraudsters is a web host that provide three essential email authentication tools: Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).
Software updates. When it comes to creating a website, you’re too busy to start from scratch. That’s why many web hosts offer pre-built templates or ready-to-go software packages. But cyber risks are constantly changing. Be sure you know how you or your web host provider will keep your site’s software up to date, including the installation of the most recent security patches.
Website management. If it’s necessary to make changes to your site, will you have to go through your web host or is there an option of managing it on your own? Make it clear from the start who will manage the site after it’s built.
WHAT TO ASK
When you’re in the market for a web host provider, make it clear that security matters to you. Here are some questions to ask a prospective web host to gauge if you’re on the same security page:
- Is TLS included in your hosting plan? Is it free or offered as a paid add-on? Will I set it up myself or will you help me?
- Are the most up-to-date software versions available with your service? Will you keep software updated? If it’s my responsibility, how do I do that?
- Can my business email use my business website name? If so, can you help me set up SPF, DKIM, and DMARC email authentication technology? (For in-the-know business owners, those three tools are musts. No SPF, DKIM, and DMARC? No deal.)
- Once the website is up and running, what if changes are needed? Will I have to go through you? Can I log in and make changes on my own? If I can log in, is multi-factor authentication available?
Download the FTC’s web host fact sheet and keep it handy as you comparison shop.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.