Skip to content

Security Outlook for Small-Business-Targeted Web Hosts

In order to aid small businesses, the Federal Trade Commission (“FTC”) has released a Staff Perspective and a series of articles targeted to consumers and businesses about the availability of secure web-hosting and email providers. The Staff Perspective reviewed the services offered by eleven web-hosting companies and found that while most of these providers offer minimum security verification, most do not offer the more advanced services. Instead, small businesses are expected to implement these services themselves, although most likely do not have the institutional knowledge in order to do so. Without the services outlined in the FTC’s report, small businesses are open to phishing attacks, placing themselves and their customers at risk of financial harm.

The FTC reviewed eleven web host providers who market to small businesses to determine the level of security offered. The FTC reviewed SSL/TLS technology, domain level email authentication, and anti-phishing technologies. Eight of the eleven web hosts offer SSL/TLS as an integrated service in the setup of a website, four offered the service in their hosting plans and four offered it as an add-on service for an additional fee. SSL/TLS is a tool that 1) “offers some assurance to a website’s visitors that they are viewing the legitimate site rather than an imposter”; 2) creates an encrypted barrier between a computer and website to shield things like credit card numbers and passwords; and 3) “protects against modification of the information exchanged.”1

Domain level email authentication, including Sender Policy Framework (“SPF”) and DomainKeys Identified Mail (“DKIM”) verify “the identity of the domain that an email claims to be from.”2 The FTC concluded that only a very small amount of the services surveyed actually offered SPF and DKIM by default. Only one provider offered SPF by default and only two providers offered DKIM by default. However, with the exception of one provider, all providers allow the small business to setup SPF and DKIM independently. But, the small business would need the independent knowledge of this service in order to implement it themselves. 

The FTC also reviewed whether these providers offered Domain Message Authentication Reporting and Conformance (“DMARC”). DMARC instructs email servers to block or quarantine emails that fraudulently claim to be from the same domain as the receiver. The service can also send a report whenever the domain receives a fraudulent email. None of the providers surveyed offer DMARC by default. Three providers did not offer the service in any form, but eight providers allow small business customers to configure DMARC on their own. Again, a small business would need the independent knowledge of this service to setup DMARC.

Importantly, all four of these services, SSL/TLS, SPF, DKIM, and DMARC are free to use. The issue lies in small businesses needing independent knowledge to implement these services. However, these providers can implement SSL/TLS, SPF, DKIM, and DMARC into their web and email hosting services for relatively minimal costs.3 These minimal costs, which could be passed onto the small business consumer, would likely be less than the cost a small business would incur to learn and implement the advanced technologies itself.

The FTC standard requires all companies to take reasonable steps to implement cybersecurity protections. Reasonable steps generally require balancing the cost of implementing the security protocols and the risk of a data breach. The FTC conclusion is that the cost of implementing the security protocols to small businesses is low; the Staff Perspective may be putting the small business community on notice that it should examine its current security measures.

1 Federal Trade Commission, Staff Perspective, “Do Web Hosts Protect Their Small Business Customer With Secure Hosting and Anti-Phishing Technologies?,”
2 Id.
3 Id.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.