Government Leads Major Industries In Email Security

The federal government is now using anti-phishing security on its emails at a higher rate than any major industry sector, according to a report released Thursday.

The study from the email security firm ValiMail comes roughly six months after the Homeland Security Department mandated the email security tool called DMARC for all federal agencies.

As of the first quarter of 2018, 68 percent of federal government email domains had the tool installed compared with only 50 percent of tech sector domains, 36 percent of bank domains, and 26 percent of health care sector domains.

The lowest adoption was among media companies where only 13 percent of email domains used DMARC.

That’s a big change from the final quarter of 2017, before the Homeland Security deadline, when government was near the bottom of the list with about 19 percent adoption.

ValiMail CEO Alexander Garcia-Tobar described that shift as evidence that “a well-thought-out, carefully crafted directive” can “be incredibly effective in turning a lagging sector into a leading one” when it comes to email security.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, the.situation@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft. That means shifting government email to DMARC will make it much tougher to spoof government accounts to launch phishing attacks against home and personal email addresses.

Therefore, installing DMARC on government systems makes it far more difficult to use those domains to target citizens’ personal accounts with phishing attacks or to use commercial email domains to target federal agencies.

The ValiMail study was based mostly on companies with over $1 billion in annual revenues. The analysts made exceptions for media and utilities.

“In general, companies in younger and more tech-forward industries are more likely to have deployed email authentication,” the study found. “Older, larger, and less tech-centric industries are less likely to have authentication in place—unless, like banks, they have significant legal and/or compliance reasons to defend their brands.”

A separate study released Wednesday by the Global Cyber Alliance found most major federal IT contractors aren’t actively using DMARC, which could make federal agencies more vulnerable.