Data and securityCyber SecurityThree-quarters of government organisations not DMARC compliant

Three-quarters of government organisations not DMARC compliant

Fewer than 28% of gov.uk using DMARC effectively in line with Government guidelines ahead of GSI retirement in March 2019

A recent analysis has found that only 28% of gov.uk domains have been proactive in setting up DMARC appropriately. These are the only domains falling in line with UK Government Digital Service (GDS) advice.

GDS has recommended preparing for the retirement of the Government Secure Intranet (GSI) platform in March 2019. Since 1996, the GSI framework has enabled connected organisations to communicate electronically and securely at low protective marking levels.

Egress analysis has revealed that only 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC) themselves ahead of the deadline. It is just a few weeks to go for GSI retirement.

This means that nearly three-quarters are not following the minimum standard requirements suggested by GDS. The minimum standard requirements suggested by GDS is to authenticate email messages.

Lack of preparation for DMARC

The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration. This, in effect, leaves domain users open to phishing attacks.

Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled. Further, they also checked whether the implementation was in-line with the government’s guidance.

Neil Larkins, CTO of Egress, comments: “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.”

Once enabled, DMARC, provides an email validation system designed to detect and prevent email spoofing. This basically ensures that email senders and recipients can determine whether a given message is from a legitimate sender.

If an email is from an untrusted source administrators can decide over the course of action. It could be decided whether the email should be placed in quarantine or rejected. This is only possible if DMARC is fully enabled.

Worryingly, of the 28% that have set up DMARC themselves, 53% have the policy set to do nothing. This means that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains. Spam and phishing messages will go straight into the recipient’s inbox. This will happen regardless of whether the message has been sent from a trusted sender or not.

Reject email policy

Any organisations defaulting to a default gov.uk DMARC setting will also not be taking advantage of the reject email policy. This means that ultimately, fewer than 14% of organisations are using DMARC effectively if they want to stop phishing attacks.

GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisations’ email service is configured and runs in a secure way.

As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.

Advice from GDS

Engress says: “The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages.

“However, as with many complex organisations, government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox.

“This is especially important for government organisations sharing data externally, where the security posture of the recipient is often unknown.”

The survey of senior individuals across 123 public sector organisations has revealed that UK public sector organisations welcome new regulations around data protection as an opportunity to transform their content management.

Related Articles

Councils drive transformation with SaaS models

Cloud Computing Councils drive transformation with SaaS models

4m Jay Ashar
Healthcare organisations fix application flaws faster

Digital infrastructure Healthcare organisations fix application flaws faster

4m Jay Ashar
The need for balance in digitising public services

Digital Transformation The need for balance in digitising public services

4m Afshin Attari
Digital lags behind in healthcare: Deloitte report

Digital Skills Digital lags behind in healthcare: Deloitte report

4m Jay Ashar
Where are all the change managers delivering “digitisation”?

Change Management Where are all the change managers delivering “digitisation”?

4m Romy Hughes
Getting technology providers to partner for progress

Digital Transformation Getting technology providers to partner for progress

4m Neil Laycock
Delivering transformation for future generations

Digital Skills Delivering transformation for future generations

4m Jay Ashar
Driving change through place-based partnerships: Part Two

Digital Customer Service Driving change through place-based partnerships: Part Two

4m Austin Clark