Nearly three-quarters of government organisations are leaving online users exposed to potential email fraud and phishing attacks by failing to adopt an industry best practice validation system, with just over a week to go before the existing public sector domain platform is axed.
According to a study by Egress, just 28% of gov.uk domains have been proactive in setting up the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, meaning many are going against the official advice from the UK Government Digital Service (GDS).
The Government Secure Intranet (GSI) platform, which has enabled connected organisations to communicate electronically and securely at low protective marking levels since 1996, is due to be retired at the end of this month.
DMARC is a globally recognised email standard that makes it easier to determine whether an email is from a legitimate sender, and is strongly advocated for by both the UK Government and the National Cyber Security Centre.
Once enabled, DMARC provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender. If an email is from an untrusted source, and with DMARC fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.
Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in line with the Government’s guidance.
The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.
Even worse, of the 28% that had enabled DMARC at the time of the study, over half (53%) set a policy to “do nothing” - which would effectively let through Business Email Compromise (BEC) attacks and allow email buffering, while spam and phishing messages would be allowed into recipients’ inboxes.
This means that in reality, only 14% of government domains are using DMARC effectively to stop phishing attacks.
Egress chief techonology officer Neil Larkins said: "It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS."