Data and securityCyber SecurityThree-quarters of government organisations not DMARC compliant

Three-quarters of government organisations not DMARC compliant

Fewer than 28% of gov.uk using DMARC effectively in line with Government guidelines ahead of GSI retirement in March 2019

A recent analysis has found that only 28% of gov.uk domains have been proactive in setting up DMARC appropriately. These are the only domains falling in line with UK Government Digital Service (GDS) advice.

GDS has recommended preparing for the retirement of the Government Secure Intranet (GSI) platform in March 2019. Since 1996, the GSI framework has enabled connected organisations to communicate electronically and securely at low protective marking levels.

Egress analysis has revealed that only 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC) themselves ahead of the deadline. It is just a few weeks to go for GSI retirement.

This means that nearly three-quarters are not following the minimum standard requirements suggested by GDS. The minimum standard requirements suggested by GDS is to authenticate email messages.

Lack of preparation for DMARC

The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration. This, in effect, leaves domain users open to phishing attacks.

Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled. Further, they also checked whether the implementation was in-line with the government’s guidance.

Neil Larkins, CTO of Egress, comments: “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.”

Once enabled, DMARC, provides an email validation system designed to detect and prevent email spoofing. This basically ensures that email senders and recipients can determine whether a given message is from a legitimate sender.

If an email is from an untrusted source administrators can decide over the course of action. It could be decided whether the email should be placed in quarantine or rejected. This is only possible if DMARC is fully enabled.

Worryingly, of the 28% that have set up DMARC themselves, 53% have the policy set to do nothing. This means that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains. Spam and phishing messages will go straight into the recipient’s inbox. This will happen regardless of whether the message has been sent from a trusted sender or not.

Reject email policy

Any organisations defaulting to a default gov.uk DMARC setting will also not be taking advantage of the reject email policy. This means that ultimately, fewer than 14% of organisations are using DMARC effectively if they want to stop phishing attacks.

GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisations’ email service is configured and runs in a secure way.

As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.

Advice from GDS

Engress says: “The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages.

“However, as with many complex organisations, government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox.

“This is especially important for government organisations sharing data externally, where the security posture of the recipient is often unknown.”

The survey of senior individuals across 123 public sector organisations has revealed that UK public sector organisations welcome new regulations around data protection as an opportunity to transform their content management.

Related Articles

Adults to get digital skills through new qualifications

Digital Skills Adults to get digital skills through new qualifications

7h Jay Ashar
The time has come: digital transformation in the public sector

Digital Transformation The time has come: digital transformation in the public sector

9h Brian Chidester
Liverpool 5G consortium wins 5G technology award

5G & Mobile Liverpool 5G consortium wins 5G technology award

11h Jay Ashar
States of Guernsey selects Agilisys as preferred bidder to deliver Future Digital Services

Cloud Computing States of Guernsey selects Agilisys as preferred bidder to deliver Future Digital Services

4d Jay Ashar
Why government is right to embrace digital first strategy

Digital Transformation Why government is right to embrace digital first strategy

5d Patrick Mayer
How do police devices fair in the 10 Year challenge?

Digital Transformation How do police devices fair in the 10 Year challenge?

6d Simon Hall
DSTL's online game aims to attract best cyber workers

Government Technology DSTL's online game aims to attract best cyber workers

6d Jay Ashar
Public Sector Paperless Awards finalists announced

Conferences and Events Public Sector Paperless Awards finalists announced

1w Jay Ashar