Egress analysis shows that three-quarters of Government organisations are not fully secure
March 2019 by Egress
People-centric data security company Egress has found that only 28% of gov.uk domains have been proactive in setting up DMARC appropriately, in line with UK Government Digital Service (GDS) advice in preparation for the retirement of the Government Secure Intranet (GSI) platform in March 2019. Since 1996, the GSI framework has enabled connected organisations to communicate electronically and securely at low protective marking levels.
Egress analysis has revealed that, just a few weeks before GSI retirement, only 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC) themselves ahead of the deadline. This means that nearly three-quarters are not following the minimum standard requirements suggested by GDS to authenticate email messages.
The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.
Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in-line with the government’s guidance.
Neil Larkins, CTO of Egress, comments: “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.”
Once enabled, DMARC, provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender. If an email is from an untrusted source, and with DMARC fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.
Worryingly, of the 28% that have set up DMARC themselves, 53% have the policy set to ‘do nothing’. This means that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains, and spam and phishing messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not. Any organisations defaulting to a default gov.uk DMARC setting will also not be taking advantage of the ‘reject email’ policy, so this means that ultimately, fewer than 14% of organisations are using DMARC effectively if they want to stop phishing attacks
GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisations’ email service is configured and runs in a secure way. As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.
“The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages. However, as with many complex organisations, Government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox. This is especially important for government organisations sharing data externally, where the security posture of the recipient is often unknown.”