For years, like many business owners, I entrusted my online business—my domains, my websites, my payment details, and my reputation—to GoDaddy. They were the safe bet, the dot-com giant with the self-proclaimed “award-winning security.” I believed their promises—and why not? Millions of companies, especially small businesses, put their trust in GoDaddy to keep their e-commerce storefronts safe.
However, recent Federal Trade Commission (FTC) findings have left me—and, I suspect, many others—feeling betrayed and more than a little angry.
In January 2025, the FTC filed a complaint against GoDaddy for misleading consumers about their cybersecurity practices. This wasn’t a mild technicality or slip-up; it outlined GoDaddy’s ultimate failure to implement basic measures, dating back to 2018.
These “unreasonable security practices” led to multiple data breaches, exposing clients—and their customers—to real risk. With GoDaddy serving primarily small and micro companies, these are exactly the businesses that might not survive a supply chain breach caused by a vendor’s irresponsible practices.
By May, the FTC announced its allegations and forced GoDaddy to implement proper cybersecurity controls. This raises a troubling question: if a giant like GoDaddy has such poor security, how many other companies are pretending to be secure?
When Marketing Overrides Reality
GoDaddy’s debacle is a cautionary lesson for every business leader. The company talked a good game and consistently highlighted its commitment to providing top-notch services, but the FTC’s investigation found a different reality: GoDaddy didn’t inventory its assets, failed to manage software updates, neglected to monitor for security threats, and—most shockingly—didn’t use MFA for years.
This disconnect between what companies say and what they actually do is not just frustrating—it’s dangerous. Businesses relying on vendors like GoDaddy are left exposed, and in the event of a breach, it’s their data, their customers, and their reputation on the line.
The Anatomy of a Security Breakdown
So what exactly went wrong with GoDaddy and what can every business look for with their own vendors? The FTC’s settlement document listed several security failures with GoDaddy’s web hosting and data asset security. These failures led to multiple breaches, with criminals gaining unauthorized access to customer websites and data—sometimes redirecting users to malicious “look-a-like” sites. GoDaddy’s marketing promised “award-winning security,” but their oversights read like a recipe of what not to do in cybersecurity:
No asset inventory or patch management
GoDaddy failed to keep track of its own systems and didn’t ensure software was up to date. Untracked and outdated systems are a hacker’s playground. Every unpatched server or forgotten device is a potential entry point that leaves data exposed to attacks that could be prevented with routine maintenance.
No proper risk assessment
The company didn’t regularly assess the risks facing its hosting environment. If a vendor isn’t actively identifying and evaluating threats, they’re flying blind. New vulnerabilities and attack methods appear constantly; without risk assessments, problems go unnoticed until it’s too late.
No meaningful monitoring
GoDaddy lacked adequate logging and monitoring of its systems. Malicious activity, such as hacking attempts, might remain hidden for extended periods. If a company can’t spot and respond quickly to unusual behavior, they face prolonged data risks.
No network segmentation
GoDaddy failed to separate critical systems from less secure parts of its network, meaning that once inside, attackers could move freely between systems, escalating the damage. Without segmentation, a breach in one area can quickly become a breach everywhere.
No MFA (Multi-Factor Authentication)
GoDaddy didn’t require multi-factor authentication until forced by regulators. Without MFA, a stolen password is all it takes for cybercriminals to access sensitive accounts. MFA is a basic, proven defense; its absence leaves your assets just one compromised credential away from disaster.
Each of these failures is a reminder that security is not a checklist to be filed away, but an ongoing responsibility—especially for those entrusted with your business’s lifeblood.
Trust, But Verify
This blunder highlights a fundamental truth in cybersecurity: Trust is not a strategy. As Ronald Reagan famously said, “Trust, but verify.” Applying that advice in this context, it means you must demand evidence—not just assurances—from vendors.
The FTC’s mandate stated GoDaddy must hire an independent third-party assessor and implement a comprehensive security program; this is a public acknowledgment that self-policing isn’t enough.
At the end of the day, it’s not just about GoDaddy’s security blunder. The bigger lesson is that every business—no matter its size—needs to move from passive trust to active verification. That’s where Governance, Risk, and Compliance (GRC) come in.
GRC is a critical framework that keeps companies aware and accountable. It’s about having clear cybersecurity policies, understanding risk management, following industry standards, and demanding proof—not promises—from vendors and business partners.
In early 2024, the National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework by adding “Govern” as the sixth core function—joining Identify, Protect, Detect, Respond, and Recover. This addition underscores the need for improved accountability and oversight, especially when trusting third-party vendors.
So, how do you verify data-sharing businesses are trustworthy?
The Process of Vetting Your Vendors
Before you sign the next contract or renew another subscription, take a moment to consider what GoDaddy’s missteps reveal about modern cybersecurity risks. Trusting a vendor’s reputation or marketing is no longer enough; your company’s security, reputation, and even survival depends on the questions you ask and the evidence you request. Here are practical steps to help you vet your vendors and partners with confidence.
Request Proof, Not Promises
Vendor security should be standard practice in any business. Ask for proof from anyone who will have access to your data—bookkeepers, accounting firms, payroll services, cloud-based service providers, or any kind of software that updates regularly—how they protect data. Policy statements displayed on a website’s footer are no longer enough.
Ask for the most recent independent security assessments, not just a summary letter. Up-to-date certifications like SOC 2 and ISO 27001 represent assessments of the vendor’s security controls and policies.
ISO 27001 is the international gold standard for creating and maintaining an Information Security Management System, a formal approach to protecting sensitive data. It’s designed to work for any organization, large or small, in any industry, and signals that the company has a process for identifying and managing risks, not just a patchwork of good intentions.
SOC 2, on the other hand, is a U.S. certification that focuses on whether a service provider is truly protecting customer data. It’s applicable for vendors serving North American clients and requires an independent auditor’s verification.
Require Multi-Factor Authentication (MFA)
Of all the evidence you will demand, few things are more important than proof of multi-factor authentication. The fact that GoDaddy was mandated by a government agency to make MFA mandatory highlights just how essential this layer of security is.
Requiring MFA for access to your critical systems (both internally and externally) is non-negotiable in today’s world. It’s a powerful deterrent against credential theft, which is a common way attackers get in.
Verifying that your vendors require and enforce MFA for access to their services should be standard practice. If a vendor doesn’t offer or require MFA, that’s a huge point to address in your verification process.
Assess Governance and Accountability
A vendor’s “governance framework” shouldn’t be a buzzword. Determine who is in charge of cybersecurity at their company, and talk to that individual. Find out if they conduct regular risk assessments and incident response drills. Policies should be clear, up to date, and available—not buried in a binder or forgotten in a shared drive. Good governance is about accountability, a principle so vital that NIST updated its cybersecurity framework.
Limit and Monitor Access
Proper governance extends to how you manage access within your own systems. Don’t grant full access based solely on trust. Follow the principle of “least privilege”–also known as whitelisting. This means you give vendors access to what they need to do their job, and nothing more.
Then, manage those privileges. Regularly review who has access to what, and remove access when it’s no longer required. Yes, it’s more work than hitting an “all-access” button, but it reduces your risk exposure.
Review Incident Response and Transparency
If a vendor is reluctant to share information, or if their documentation is out of date, that’s a sign to dig deeper. Don’t be shy about asking for their incident response plan: a company’s cybersecurity prevention and response policy. A responsible vendor will have a documented process for handling breaches and will walk you through it.
If a vendor can’t explain how they’ll respond to a security incident, question whether they’re ready to protect your data at all. To go further, inquire about whether they conduct cybersecurity tabletop exercises–and how often. If the answer is “never,” or “I’ll have to check,” that’s a red flag waving in broad daylight.
Ongoing Checks
Vendor security isn’t a “set and forget” task; it requires ongoing attention. Schedule regular reviews and request updated certifications, just as you would with insurance documents or business licenses. Treat this as a business necessity, not an option. Stay alert for changes in practices or leadership. A vendor that was secure two years ago may not be secure today.
Apply These Principles Internally
Last but not least, remember your own housekeeping. Implement your own access controls for third-party vendors. Use the principle of whitelisting, giving your staff access only to the files and servers they need. Review, monitor, and audit vendor activity. Good governance starts at home.
Vigilance and Moving Forward
Adopting a culture of verification and strong governance reduces your risk of breaches. It builds accountability inside of your company and across your supply chain. The GoDaddy case is a huge wake-up call: Even giants can fall short, and it’s your job to make sure your partners are as secure as they claim.
The FTC’s involvement with GoDaddy suggests a future where basic cybersecurity compliance isn’t optional–it’s expected. I’ve imagined a national system that would allow businesses to earn a cybersecurity “seal of approval.” Something visible and credible, showing they meet a recognized security standard. The stronger the security, the better the rating. Better ratings lead to fewer insurance claims and, eventually, lower premiums. It’s an idea, but one that could give companies a practical way to earn trust–and prove it.
If you would like to learn more about compliance and the tools available to protect your business, and strengthen your own governance, contact Atlantic Data Security and speak to an advisor today. ADS takes pride in helping businesses build better defenses for a safer, more secure cyber community.
Additional reading:
- GoDaddy Case Summary and Timeline
- The FTC Full Decision and Order
- FTC press release on GoDaddy settlement
- NIST releases version 2.0 of its landmark Cybersecurity Framework (NIST, 2024)
Michael Civisca is a freelance contributor for Atlantic Data Security. For over thirty years, ADS has established themselves as a pioneer in the cybersecurity industry with highly customized solutions for their clients. Talk to an Advisor and learn more about managed security services, endpoint security, and cybersecurity trainings at Atlantic Data Security. Follow us on LinkedIn, and read more in our resource blog.