Just 28% of gov.uk domains have implemented new email security standards from the Domain-based Message Authentication, Reporting and Conformance (Dmarc) protocol, according to a study from data security company Egress.
While the majority of central government entities have implemented Dmarc, a core piece of the National Cyber Security Centre’s Active Cyber Defense (ASD) initiative, many others are still lagging far behind.
Dmarc is an email validation system designed to help ensure the authenticity of an email sender’s identity, thus cutting down on the common practice of email spoofing which is often a technique used to launch phishing attacks. With Dmarc fully-enabled, administrators are able to review emails sent from untrusted sources and determine whether the email should be quarantined or rejected. Dmarc is also capable of preventing domain impersonation attacks.
Dmarc implementation was initially recommended by the UK Government Digital Service (GDS) issued guidance advising in preparation for the retirement of the Government Secure Intranet (GSI) platform in March 2019, but now, just weeks from the deadline, less than one-third of gov.uk domains have implemented Dmarc, according to Egress’s analysis of 2,000+ email domains.
The problem is clear: with nearly three-quarters of organizations not following the minimum standard requirements for authenticating email messages, those organizations are putting themselves at increased risk of email-spoofing attacks, which forge an email address or header so that a message appears to originate from a trusted source, in this case a government domain. Email spoofing is a popular tactic for phishing and spam campaigns and spoofed emails will often carry dangerous attachments or links.
What’s worse, among the 28% of organizations that have set up Dmarc, more than half have set the policy to “do nothing,” according to Egress, which defeats the purpose of the implementation! That means just 14% of organizations are using Dmarc correctly for stopping phishing attacks.
However, in central government, things aren’t so dire. According to an NCSC spokesperson, 89% of central government departments have already implemented Dmarc as of March 2019.
Phishing continues to be a leading cause of data breaches and cyber attacks in 2019, and phishing attacks that targeted SaaS and webmail services doubled in Q4 2018, according to the most recent Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG).
That’s why, along with proper defense from email spoofers, it’s more important than ever to ensure that any data you transfer—especially via email is verifiable, secure, and protected. With the proper secure file transfer solution, you can provide employees with an easy way to securely send files and secure messages to other people, without relying on unsecure methods such as email or third-party file transfer software or websites.
With MOVEit Ad Hoc, you can even integrate your secure file transfer with Microsoft Outlook, so that all files sent via email are secure and verifiable. What’s more, with MOVEit Ad Hoc in place, malicious outsiders will not be able to credibly send email attachments, because they will not have access to MOVEit, and any other attachment should raise red flags.
Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.