Press Release
Global Cyber Alliance Calls on Leading Cyber Companies To Improve Email Protections
Expansion of DMARC Critical to Reducing
Spread of Malicious Emails
SAN FRANCISCO, February 14, 2017 – There is a fix that can prevent a great amount of email-born attacks on consumers and businesses. Unfortunately, the vast majority of public and private organizations globally, including leading cyber security companies, have not deployed DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent spammers and phishers from using an organization’s name to conduct cyber attacks, according to new research from the Global Cyber Alliance (GCA).
DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide. However, DMARC adoption rates among enterprises and government remains low.
The UK Government’s guidance for government agencies directs them to implement DMARC[i] but as of December 2016 only five percent of UK public sector domains[ii] had done so. A mere 16 percent of the healthcare sector has adopted DMARC.
The latest research from GCA, an international cross-sector organization dedicated to confronting systemic cyber risk, finds that adoption remains low in the cyber security industry as well.
Only 15 percent of the 587 email domains (that were scanned) for companies exhibiting at the RSA Conference — one of the world’s largest gatherings of cyber security experts — use DMARC. Of the 90 RSA exhibiting organizations that do use DMARC, more than 66 percent use the DMARC policy of “none,” which only monitors for email domains, greatly reducing the effectiveness of DMARC.
It is time for the cyber security industry to lead the charge and push for DMARC use across the globe. GCA strongly advocates that organizations implement DMARC and has developed a free DMARC Setup Guide to make DMARC implementation easier (https://dmarc.globalcyberalliance.org/).
The value of correctly implementing DMARC is clear as studies[iii] have shown that organizations that use DMARC correctly receive just 23 percent of the email threats that those who do not use DMARC.
“As world leaders in cybersecurity, we can do better. DMARC protects brands and preserves consumer confidence. While no security effort is cost-free, clear guidance and tools, such as the GCA DMARC Setup Guide, make DMARC implementation practical, and the benefits are considerable. DMARC is one of the cyber security protocols that can broadly reduce risk, and the more it is implemented, the more protection if offers for everyone,” said Philip Reitinger, President and CEO of GCA. “I’m placing a stake in the ground and calling on the cyber security industry to lead the adoption of DMARC, with a goal that 50 percent of the companies that exhibit at the 2018 RSA Conference implement DMARC prior to the conference, and that 90 percent implement prior to the 2019 RSA Conference. Working together the cyber security industry can be a role model and make a difference.”
About The Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.
GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.
[i] https://www.gov.uk/guidance/set-up-government-email-services-securely
[ii] https://www.ncsc.gov.uk/blog-post/making-email-mean-something-again
[iii] https://www.helpnetsecurity.com/2017/02/01/phishing-display-name-spoofs/