Navigating Domain Security: The Key Pillars to Protecting Your Brand Online

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Navigating Domain Security: The Key Pillars to Protecting Your Brand Online." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Justin Hartland, Quinn Taggart, and Patrick Hauss. Justin is CSC's Global Director of Marketing for the Digital Brand Services Division based out of London. Justin has spent more than 25 years in the domain name and brand protection industry, bringing his wealth of knowledge to CSC clients. Quinn is a product coach for the Digital Brand Services and assists clients in the areas of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of knowledge and experience is appreciated by brand owners. Patrick is the Regional Director, located in France, for CSC's Digital Brand Services Division.

And with that, let's welcome Quinn, Patrick, and I'll hand it off to Justin.

Justin: Thank you so much. So I'm looking forward to today. Today is a bit of a different sort of way of running one of these, where myself, Quinn, and Patrick will be talking through various elements of running your domain portfolio and how it ties in with domain security. We're also going to touch on a number of industry events that are happening, that people need to be aware of, that can also influence it.

Because domain security is a very, very broad area, we've kind of broken this down into three areas that we're going to go through today. The first being about how you can proactively manage your domain portfolio. We'll then look at detecting and monitoring threats in the domain ecosystem. And then, finally, we'll look at enforcement strategies. And again, we'll go through this. As Christy said, we'll put up some slides because we're going to use probably a lot of acronyms, which are in the domain world, that you can read through if you don't understand them, if you're new to the industry, etc.

So today, we're going to start off with proactively managing your domain name portfolio. This is an area where over the years companies have gathered many, many domains, and understanding what the right names are to register, understanding the threats that certain extensions pose compared to other ones, when you are looking at launches, what is the right thing to do. And so what we're going to do to begin with is I was going to ask Quinn to sort of walk us through in particular what brand holders should be looking at when it comes to either new domain launches.

So over the last few years, we've seen both new gTLDs launching, but we've also seen some ccTLDs launching at the top level, such as .tr for Turkey, .uk, and .au in Australia as well. So there have been a lot of things happening over the last few years. And it's what should I do in those situations?

I think Quinn is also going to touch on brand launches as well. So many companies, throughout their year, they may decide we're going to launch a new brand. And what are the things you should be thinking about, which mitigate the risks and keep that domain portfolio in a secure place?

So I'm going to kick over to Quinn to begin with. And perhaps, Quinn, you can talk through either brand launches or domain launches to begin with and what you think a company should be looking at.

Quinn: Thanks, Justin. So before we get into that, I wanted to touch on one major key aspect of domains when we're thinking about them, and that's the actual life cycle of a domain. And technically, you don't really own a domain. You're sort of leasing the domain, meaning that as long as you keep up on the renewals, as long as you keep making your payments, it's yours to do with as you please.

But one key aspect that I think some folks may forget is that once you let that go out of your portfolio if you no longer need the domain, that the campaign is no longer active, and you decide, "All right, you know what? I'm just going to let that go out of my portfolio," that's great. But then it goes back out into the wild, and it can be picked back up again. And so one of the key aspects in remembering how this life cycle goes is to be able to go and realize that, hmm, is there any risk to that? What sort of risks go along with that?

And so what we're really going to look at when we talk brand launches is the beginning of this life cycle and being able to register new domains that reflect either to a new brand, a new activity, a campaign, anything that might happen along the line. It could be a merger and acquisition. A whole bunch of different scenarios might prompt you to go and register new domains, either onesie-twosie or in bulk, as you might want to do on a brand launch.

And it all comes down to timing. And I think that it's one of the other aspects that sometimes people will forget is that when you're looking at domains, it's a first come, first served world. Whoever gets in there first gets the domains.

And that's a challenge against other intellectual property that you might be thinking of. All right. Well, I've got a trademark. I need to file for my trademark. And that's fine. But when you file for the trademark, it can take couple of years before that trademark gets approved. Meanwhile, as you file that trademark, the filing itself becomes public. People can scan them. They can resource them. They can look at them. And that's the nature of how trademarks work, because multiple people can have similar trademarks in the space because it's based on what sort of industry you're in.

So one of the examples I like to use, because I'm in Canada and it's a North American thing, is Delta Faucets and Delta Airlines. There can only be one delta.com though. And who gets Delta.com? And the answer is whoever got there first.

And so when it comes down to that sort of thing, again back to the timing. So when is it good to go and engage your provider to help you and guide you through what might be available for new domains in a brand launch? And the answer is simple. The earlier the better. So as you create the idea, as you're spinning them around in your marketing meetings or your internal conversations, it's a good time to be able to reach out and ask your registrar for assistance.

And we do a lot of that. I work on CSC's Brand Advisory team, and it's a staple of what we do is try to help our clients navigate that landscape ahead of time and make sure that if they're considering a particular brand string in a bunch of different areas, that we're able to go and see what that landscape is going to be like. And then if they do need to make any kind of additional decisions, maybe it's a Plan A versus a Plan B, then we're able to go and deal with that at the onset, before it gets down to the wire and you're ready to go.

We do see on occasion and there's plenty of documented incidents like this, where you get through the process, you have a great idea, but you didn't get the domain name that goes with it. So now you're into that cycle. You're way further down the line. You've got a lot of invested into it already, but you don't have the domain space that goes with that. That can be a pretty big faux pas and can be quite expensive to deal with, especially if the domain you're looking for is already taken by somebody else. In the early going-ons, you can kind of deal with that. But later on, it can be a little bit more difficult.

Justin: Quinn, can I jump in?

Quinn: Yeah, sure.

Justin: You mentioned about filing trademarks. One of the things that we are very much aware of at CSC is people are watching those trademark filings . . .

Quinn: They are.

Justin: . . . to then go and register the corresponding dot-coms, or if it's a particular country, the relevant ccTLD. So we do recommend where possible, and we appreciate there is lots of confidentiality around these things, where possible that you, as Quinn said, engage before you've even made those findings because there's two reasons why that's going to be better. One is a greater chance of getting those domain names. But the second is if the good domain name, the .com is already gone, because there's no filed trademark and you may still have to go and buy that off someone, it may reduce the potential price of that domain because nobody knows what you're going to be doing with it. So that's a really key point. And Quinn, you're spot-on with the timings piece here.

Quinn: Yeah, it's extremely important. And it's no different in a situation like an M&A. The bad guys like to hyphenate the different company names. It's usually a pretty straightforward picking point for them, and they'll grab that kind of stuff early. So from a defensive standpoint, if you're looking, if you consider yourself risk-averse and kind of want to get out ahead of the bad guys, then timing is going to be everything.

Now that's part and parcel when you're looking at brand launches and the like is: What is your penchant for risk? Do you consider yourself risk-averse? In which case, you're going to want a fairly broad scope of domains to go and protect your brands online. If you consider yourself to be a risk taker, then either way, you're still going to want a base level of domain coverage in specific extensions. Obviously .com is still king. It doesn't matter where you are in the world. But if it's more of a regional brand, then you're probably going to want some localized extensions that go along with it. And if it's more of a domestic product or a domestic brand, there are certain riskier extensions that kind of go along with it.

It all kind of formulates into the base strategy. If you yourself internally don't have a formal strategy or even an informal strategy of what to look at, and again that's where your registrar is going to be able to hopefully pitch in and give you some guidance that goes along with it. And again, that's where CSC kind of shines is that we have these specialty teams that are able to kind of chime in and give you the guidance that you're looking for. And so . . .

Justin: Quinn, I'm going to jump in again as well. Sorry.

Quinn: Absolutely.

Justin: And I wanted to pick on Patrick because one of these, when you are pulling that together, there is no one size fits all. So, for instance, if it is a French company, Patrick, I think their requirements may well be very different to a U.S. company or even a UK company on what those are. And I know you've been involved in these things for years. And what do you think on that?

Patrick: Yeah, absolutely. I mean, the strategy that brand owners need to put in place really vary on I would say first the DNA of the brand, the territory of the brand. And there's not like one solution fitting every single situation. It's really about being able to adapt your strategy to basically what your goal is. And I think putting together documents, domain policies in place in order to address topics like governance, protection, and when I speak about protection, I speak basically about what we are putting at the left of dot and at the right of the dot is important.

We were mentioning and speaking about brand launch. It's fundamental as well, in order to have a secure strategy, to look at how things are moving in terms of what the registries are doing at the right of the dot. And things are moving really fast. We still have different TLD launches and many different things like that.

Justin: Thanks, Patrick.

Quinn: No, and that's a great point. With the breadth of clients that I've worked on over the years, I've seen clients that are in the same industry vertical, but their approach to a domain strategy and their defensive postures, vastly different. I worked with one telecommunications client that had 15,000, 20,000 domain names. And I worked with a different one, same industry vertical, but their portfolio is only 3,000 domain names. And a lot of that really just kind of came down to their penchant for risk and their ability to do monitoring and enforcement.

And that's what this slide, that's up on the screen right now, is it's all about balance. If you're going to try to manage your domain inventory and your intellectual property online, it's about a balancing act. And you've got three major pieces to kind of look at. There's four on the screen. But as far as the stakeholders go, you really have budget. Everybody is budget conscience of course. You're going to have your penchant for risk. And then the balancing piece out of all of that is going to be monitoring and enforcement. We're going to cover a bit of everything today.

But when we look at the security risk, one of the key factors as well internally is you're going to want to involve all of the stakeholders. Everybody within the company has a vested interest in making sure that the domain inventory is protecting the brand online. Now, historically, the domain inventory would have rested with IT because, yes, there is a technical component that goes with domains. Got to have a website up, got to be able to drive email. Got to be able to protect the cybersecurity side of things. That's all usually driven through the IT stakeholders. But everybody else has a position to play in this and a role to pay attention to in order to make sure that collectively you are protecting your brands online.

Now some companies still see domain names as a bit of a money pit. It's kind of a hot potato internally. All right, who gets to manage domain inventory? Oh, well, we'll pick the new guy. He can handle that. That's under other duties as required or something like that. And so it doesn't get the attention sometimes that it deserves.

But over time, your inventory of domains didn't get to be where it is overnight. It's taken years, the years of the business to evolve and get to be where it is. Without some processes and some policies in place to go and review things on a regular basis, yes, things can balloon out, and people will just renew them year over year over year. Why? Because that's what's been done before, and nobody really wants to take the final step of saying, "You know what? I really don't need that anymore. Get rid of it." People won't do that.

Patrick: And maybe if I can add to what you are saying, Quinn. Indeed, I think the fact of having a let's say a multi-stakeholder approach, involving IT, legal, marketing, security, is that basically all these people can sit down. All these people can put rules in place, decide on the workflow, on the governance. And there are so many topics to address and to discuss. And sitting together, putting some rules in place, that's basically what's going to allow you to put and to draft basically what's going to be called your domain policy. And in this like ever-changing landscape, moving towards more cybersecurity, I think that's really the right thing to do and also the right moment to do that as well.

Justin: Yeah. I mean, just to add to that, Patrick. Obviously, we see a lot more people in the infosec world now involved in domain management. It's still probably not as many as it should be. But when we look at security failures online, I think it's like 90% of them start with a domain name, either a domain name being misused or attacked. And so in many organizations, this is kind of a missing piece of the puzzle on their security posture.

So I would highly advise that probably legal and marketing and IT have already worked together, but maybe infosec has not been involved. But really I think that would be a key learning from this, if you haven't got them involved, is to bring them in because that is a piece of the puzzle that just isn't being looked at. And those teams may not even be aware of the security pitfalls of not being…

Patrick: Yeah, we need to remember that we have like a huge piece of regulations, which are appearing, especially here in Europe, NIS2 being one of them. NIS2 is about basically the integrity of the internet. And when we speak about the European Commission putting together a new a new framework for cybersecurity, this will impact hundreds of thousands of businesses around Europe, of course, but across the globe as well. And that's not a secret. Cyber crime is growing very fast.

And actually, when the NIS2 framework directive was put in place, it was decided that some attention needed to be put towards the domain and the DNS ecosystem as well, together with many other things. And when we speak about domains and the DNS ecosystem, basically we speak about the registries, the registrars, and the DNS provider, which are the three main components allowing the Domain Name System to work and to operate.

So if we put I would say the registry topic or situation aside, and you all remember that registries are in a very like unique or even monopolistic situation, you cannot choose the registry you are going to work with. However, you can choose your registrar. You can choose your DNS service provider. And these two parts of the of the domain and DNS ecosystem are also in the scope of these two. The DNS service providers are considered as essential services, like critical services, and they get the full impact and all the obligations basically from these two. And that's something we need to bear in mind.

I do believe that there's going to be a huge transformation in the coming months and the coming years of the DNS hosting landscape because there's going to be a very important need for security. DNS cannot be seen any longer as a commodity. DNS cannot be a free service anymore without security, without SLAs, without guarantees, and so on and so forth. So I think that's really something which businesses are going to have to look at very closely.

And then, when we speak about registrars, so what the NIS2 directive calls the domain name registration provider, they are also in the scope of NIS2 through the so-called Article 28, which puts a lot of like new obligation in terms of domain data, so, for example, the obligation to collect and maintain accurate and complete domain data, meaning like the WHOIS data, the obligation to have policies and procedures in place to verify this domain data, and also the obligation to make some of these data publicly available, especially when these data are not personal data.

So we have now a huge work, which is being done in front of us, which is the transposition of this directive within the 27 European member states. It's a work in progress. We only have, I think, roughly 30% of the European countries which have transposed the NIS2 directive so far, with mainly speaking about smaller countries. So I think it's a really good time also to assess your overall domain security posture and considering moving from what we can call like consumer-grade service provider or domain provider or domain registrar or DNS hosting companies to a new solution, which are going to be more secure and more compliant. So I think timing is really good right now, again, to look at that from a security angle, as you were me mentioning earlier, Justin.

Justin: Yeah. Thanks, Patrick. And just kind of I'm going to pivot back to Quinn. So we talked through brand launches and the life cycle of where that fits in. But we also have a lot of new domain launches. And I'll talk in a minute about the next round of new gTLDs. But still even right now, I think there are launches happening. So it sort of I guess briefly is like: How can I prepare myself? I know these things are coming. But what can I do to put myself in the best position that I can make quick decisions on what to do?

Quinn: I think one of the key factors to remember is that there are options when it comes to the new gTLD space as well as the "regular domain space." There are blocking mechanisms that are available, that may or may not solve a problem as far as being able to protect your brand online in a cost-effective manner. Some of the blocking mechanisms can be quite cost-effective because they protect you and your brands against a wide swath of potential threats. But also too is that reviewing them on a regular basis is to see which ones are actually going to be relevant to your brand. Maybe they're not relevant. But then also too compensating with monitoring and enforcement is going to help you be able to identify potential threats as they come up.

And I think, again back to the balancing act from earlier, budget is usually a driving force for a lot of things. But then down to your risk, back around to monitoring and enforcement, and that's going to keep things stabilized. I talk with my hands a little bit. I should be Italian.

But I think that one of the key things to remember is get the information. These things are coming up. Make sure you're tapped in for notifications and alerts. Make sure that your registrar is giving you proper guidance.

Justin: Thanks, Quinn. So I'll sort of go on from that into another area that we think people need to get prepared for, which is the launch or the second round of New gTLDs. So we've got some examples here, .travel, .jobs, .store, .online. But there's sort of two flavors, I guess, that will be available to apply for in April of next year.

So one is companies will go out and try and register generic terms. So we can see there being more work to do in the future on like, okay, so somebody has launched .bitcoin. Is this something we need to defensively register or block or whatever? We're going to have to make those calls.

But the area that I think people should be considering right now is the dot brand side of things. And what we've seen in the last round, CSC actually manage a few hundred for customers, and we're slowly seeing adoption of those and usage increasing. But I think we're in a different world to 2012 to where we are today with the dot brands. And we've touched on the security element of dot brands and of general domain management. Well, if you own your own dot brand, you control everything. So it gives you great control. And it's not necessarily for everyone either, but it's certainly something that I would recommend. We've done some webinars recently. I would recommend that you join one of those to get sort of deeper insight into it.

But taking that information, and then if we think about the pie chart that Quinn showed earlier about the people involved in domain management, taking it back to that group so they fully understand what are the general costs, what are the timings, as I mentioned, the application period will start next year in April, and what could we do with this.

So one of our clients, who actively uses theirs, talked about how it's great because we now get to register generic terms. So if we want to launch a campaign referring people to our business, we register referral dot our brand. So it opens up sort of new ideas within the business. So my recommendation on this is start to get to know what's going on, and then take that information and use it within that sort of stakeholder group.

The one thing and I just want to make a little side point here as well. If you are going to apply, you will need a Trademark Clearinghouse application for a valid trademark. Now what we've seen over the years is when the first round of new gTLDs launched, a lot of people got TMCH. It was very useful for sunrise periods, for getting notices, etc. But we've seen a lot of people get rid of them. They've gone, "Well, there isn't many new gTLDs launching now. I don't need this."

But I think I would recommend that, over the next year, you start looking at your Trademark Clearinghouse portfolio and what you've got today, because you're either going to need that if you're going to apply for a dot brand, or you're going to need that to take part in sunrise periods when the new domains come out. I don't know if Patrick or Quinn have any additional points you wanted to raise on New gTLDs, the next round.

Patrick: No. I think it's a great advice, Justin. Indeed, having TMCH records offers a whole bunch of options when it comes to either applying, launching a dot brand, or navigating the next round of these New gTLD launches. I think it's very important for businesses as well to see now, as you were mentioning, a dot brand as a way to improve your security posture. It's also another way for businesses to educate their client and bring them to a sort of like new messaging.

I mean, we all see how cyber crime, fake products, and everything is just like all over the internet. What about having a dot brand in order to distribute a new messaging to your clients, saying that when you are on the dot my brand, you're in a safe spot. Nothing can happen there. You have the guarantee that you're going to be finding genuine and authentic products and so on. There's a lot of things to imagine around that, especially as the internet is growing, evolving, and that threats are increasing all the time. So I think there's a lot of ways to look at that, and timing is, again, the right one.

Quinn: So I think . . .

Justin: Oh, go on, Quinn. Go ahead.

Quinn: I was just going to interject on one thing in looking at a dot brand, and again, in dealing with our clients that have pursued the dot brand side of things, is that even though you have that added security level and you've got your own space, you control what's going on, it's not necessarily a replacement for a traditional domain inventory. .com still exist. .net .org, .uk, .tr, .nz, whatever, those all still exist, and the bad guys are still navigating through that as well. So while you control your own space and here you are, there's still the normal run-of-the-mill stuff that's going to . . . Could you trim back some of your defensive posture stuff? Possibly. But I think it's important to remember that the dot brand is not a replacement for traditional inventory of domains.

Justin: That's a really good point, Quinn, a really good point. So I think what we're going to do, we're going to just stop at that point on this particular subject.

Quinn: So Justin, back over to you about compliance issues.

Justin: Compliance issues. So here's one of the things that we see is the relationship between fraud and domain names. And it's really clear to us that that needs to be taken into account when you're managing your portfolio and deciding what you want to do.

So a great example of that is there was a company called Freenom. You could get free domain names through them. They managed five ccTLDs, most notably .tk. And they got into a lawsuit, and it effectively meant they had to stop running those domain extensions. And those domain extensions are slowly but surely getting taken over by other registries. So .ml is now being run by Afnic in France. But what we saw from fraud data, because here at CSC we have anti-phishing solutions and we take down fraudulent websites, we saw it drop off a cliff. And those domain name extensions were no longer being used for fraud because nobody could register new extensions.

So there is a strong correlation there with TLDs, where there is a lack of sort of compliance to them, regulations, rules, they're just giving them away for free, and what we see in the fraud world. So you need to bear that in mind when you're building your portfolio and when you're thinking about monitoring, that something might be .tk, which is the small, little island Tokelau in the Pacific. But the way that the phisher will use that domain is they will potentially have your brand, but then they'll put in loads of other dots and everything and confuse you when you click on the phishing site.

So that is something that I would also recommend is not ignoring those sort of more obscure TLDs, but also keeping a close eye on those.

Quinn: And that's one of the major tenets when we're looking at how the bad guys operate, right? I mean, there are three main tenets. When it comes to infringing domain names and being able to leverage those for a bad act is: How cheap are they? How easy are they to get? And then, of course, the main one is: How do I make my money back?

Now if they're registering for nefarious purposes, then only the first to apply —how cheap and how easy. And that was the thing with Freenom, of course, because they didn't cost anything, so it was a free-for-all.

Justin: Yeah. And Quinn, I mean, while we're talking about it, we can kind of mention about Web3 domain names, which are technically not domain names. And I think with these and there are, by the way, thousands of these things. I think the one thing to bear in mind is that for many Web3 or blockchain domains some people have called them, for many of these, it's actually hard to actually even navigate to them because you need add-ons for browsers and it's very limited browsers that you can actually use them in.

But I think forming part of your monitoring is that's where I would look at. Some of these organizations are creating sort of enforcement actions that can be taken against names. But I would have it as part of your monitoring solution.

Quinn: And that factors back into TMCH and blocking, right, because in order to be able to use any of the blocking mechanisms, you sort of need the TMCH to kind of go hand-in-hand along with that to make sure it's a validation exercise that way, I mean, right now, there are about 60 odd Web3 domains that are out there that we know of, and a lot of the blocking mechanisms will cover some of this stuff, if not all of this stuff as it goes along. But it's not 100% inclusive yet.

So that's the key thing to remember, especially as you talk about the New gTLD wave two coming, is that there's not necessarily blocks on everything. Even with wave one, you only have blocking mechanisms that cover about half of the inventory that's out there under the new gTLD umbrella.

Justin: Yeah. And maybe . . .

Patrick: I think that reinforces the need for monitoring, detection, threat intelligence within the domain space. And I think that's something we wanted to mention as well today. I think we all agree we cannot register everything. This first come, first served rule I think is a really good weapon for cyber criminals. Being behind the computer or phone with a credit card allows you to attack basically any brand, run a phishing campaign, create a clone website, and so on and so forth. There are many different options.

We have this difficulty, which is that the domain name space has not been designed originally for what is being used right now. And when we speak about businesses' online presence, we are basically facing one major problem, which is that your online presence is not behind your firewall protected. It's out there in the wild, wild web. That's what we call the external attack surface in the cybersecurity language.

So I think that really reinforced the need for detection, the need for monitoring, which are two different things. Being able to detect newly registered infringing domains or abusive domains versus being able to monitor them. Once they've been detected, being able to assess every single situation with like a technical tool. When, for example, an MX record is activated or a website is put online, that's all like things which are going to be interesting in order to enter potentially into the enforcement phase.

But first, there's always one phase, which is quite critical and where we have some things happening in the industry right now, which is that for every single domain that you detect, you need to assess, find out who's been registering this domain, and so on and so forth. And we know that with GDPR, in 2018, ICANN has been like really struggling with this topic of accessing WHOIS data or domain data. So this like RDRS system, for example, has been put in place by ICANN in order to help a legitimate requestor to get access to domain data.

We've seen as well that RDRS is not that system which is going to allow brand owners to access directly to the data within this ICANN portal. It's more like a one-stop shop or ticketing system, where the communication with the registrar is going to be facilitated. So I think, in general, if RDRS was designed to help brand owners or cybersecurity investigators or even law enforcement, there are like still too many limits or difficulties with this new tool, like the number of TLDs. It doesn't work on the ccTLDs, for example. The participation of the registrar, which is not mandatory, and we've already actually seen a few registrars like withdrawing from RDRS. We know that it's a temporary system. ICANN is looking to improve that. It's open for just a two-year period as well. It doesn't work for domains using proxy services.

So, I mean, after the launch in November 2023, if I remember well, I think if we try to make some early conclusion about how this RDRS system has helped brand owners in how they're assessing infringement, I think there's a lot of like disappointment from the brand owners in general. We only see a very limited percentage of cases where the domain data has actually been disclosed and revealed to the requestor. And that's shows basically in the ICANN statistics.

So I think it's going to be interesting to see how this whole domain data situation is going to evolve in the coming months and years, especially through the upcoming ICANN meetings. So that's going to be an interesting topic as well.

Justin: Thanks, Patrick. With the final piece, just sort of digging into how we've talked about managing your portfolio, what are the right names to register, then talking about what you need to think about from a monitoring standpoint. But there's the other element, which is how to enforce and what are the important things to take into account there.

Patrick: Correct. And I think one of the key elements that I would like to mention is maybe a bit overall about like enforcement strategy and basically how we're going to be enforcing rights against an increasing number of cyber criminals. And there's always this question about is this like a Whack-a-Mole game? Am I going to be like hitting every single domain being registered by a third party? How am I going to approach that? And that's a real question.

So a couple of ideas here or thoughts, I think, first, the era where we were just like sending a cease and disease letter and filing a UDRP complaint for each cyber squatting case, I think this era is definitely over. That's not the right strategy to have right now. I think the main change, as we were mentioning before, has been the increasing number of cyber attacks. If you look at phishing statistics, it's absolutely huge. And as a consequence, I think we have to remember that the number of tools and procedures that are now also available in order to defend your rights online has grown significantly. And we're not speaking only about legal tools. We're speaking also about technical tools that can be used in order to protect your rights online.

So I think there's been a sort of like shift from this moment where UDRP seemed to be the only solution, the primary solution to a situation, to a situation where UDRP is probably slowly becoming a tool being used by brand owners in case all the other possibilities were not successful. So I think that's something that we need to bear in mind, that there's been a shift. There are so many new things that can be done in terms of protecting your brand online.

I think we're also seeing enforcement topics moving to security people. That's a real trend as well, and I think it makes total sense. When we see the type of attack, the reactivity which is needed after an attack, you cannot wait two months in order to fight against a phishing attack. This needs to be addressed within hours. You cannot wait 60 days, for example, to recoup the domain name.

But I think most importantly, when we speak about this fight against cyber criminals, I think technology has probably been the bigger I would say game changer in online brand protection. I'm just going to give you an example, clustering. It's a must right now when you try to defend your brand online because indeed you may see someone cyber squatting you or registering domains containing your brand, but you need to understand what these people are doing with these domains. Do they also have listing on marketplaces? There can be many other elements helping you basically to qualify each situation.

So you need to be able to choose your battles, and that's why I think technology became so important. And that's really how we've been designing our tools at CSC.

I just wanted to say a couple of more words about UDRP. There's currently a UDRP review, which is done between WIPO and ICA. So ICA is the International Commerce Association. So they're doing a review of the UDRP right now. It's a series of consultations being performed with like industry leaders, experts. We have a group at CSC which is part of these discussions actually. And the idea is to find the areas of improvement of the UDRP. There's going to be a final report, which will be shared with ICANN, and ICANN will then evaluate, with this different constituency, what needs to take place and what needs to be put in place, sorry, when it comes to reviewing and updating the UDRP.

So I think this could be kind of an important milestone. UDRP is 25th anniversary actually, which is going to be celebrated in Geneva actually later this month. CSC is going to be present at this meeting, since we are the biggest UDRP filer globally. So I think we can expect new things coming up as well for UDRP, and I think that's going to be very interesting to see which direction the UDRP is going to go in the coming months.

Quinn: And back to balancing, I think that when we look at domain registrations, it's a heck of a lot cheaper to register a domain name and maintain it than it is to file a UDRP.

Justin: Absolutely, Quinn, And I think that's probably one of the key things that we would recommend to anybody is all of this is about balance, right, and it's about taking into account your risk appetite, taking into account your budgets, taking into account if I spend a little now, that could save me a lot later. So yeah, I think . . .

Patrick: We are in the domain space, and that's why we need to connect the dots. What is happening in terms of how am I going to secure my own portfolio and basically at the same time look at how third parties are going to use my brand in order to attack my brand? And I think that's really how this whole strategy needs to be built around securing your brand online basically.

Justin: Yeah. So I know that we have probably taken a little bit more time than we originally were going to. But as you can see, myself, Quinn, and Patrick are quite passionate about these things.