It’s no secret by now that email has become the number one tool for cyber criminals and fraudsters. Earlier this year the FBI predicted that Business Email Compromise attacks which impersonate executives within a company have cost more than $3.1 billion in the last three years alone, while increasingly sophisticated phishing attacks are also targeting individuals.
The public sector is no exception to this trend, and the UK government has recently undertaken powerful action to protect both its employees and citizens from being attacked by criminals using the trusted .gov address.
As of the 1st of October, Government Digital Services (GDS), part of the Cabinet Office, requires all UK governmental departments to use the DMARC protocol for all email. This includes making the strongest DMARC policy (“p=reject”) the default for email services at that time.
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a system that detects and prevents email spoofing by enabling users to check that incoming mail is authorised by the domain name it is using. It also confirms that the email and its contents and attached files have not been modified during sending.
The system is built using the existing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) internet standards, and enables an organisation to use one or both to govern the rules around authorised emails, and how to deal with messages sent on the domain that have failed to meet the criteria.
Most approaches to email management have very little luck in stopping spoofed emails, because the content and domain of a well put together fake are almost indistinguishable from a legitimate message. By checking for an authorised domain name rather than the content of the message itself, DMARC means that even the most well-crafted fake can be detected and prevented from reaching its target.
DMARC already has a proven track record at government level. Ciaran Martin, Director-General Cyber GCHQ, recently cited an example of DMARC stopping 58,000 daily malicious emails from an account named taxrefund.gov.uk during its first trial.
The UK government’s move to spread the use of DMARC across all governmental bodies marks watershed moment towards better security for both the government itself, and all UK citizens, and should help to greatly reduce the risk of breaches and cyberattacks.
Email also plays a role in meeting the expectations of a new generation of UK citizens for access to more convenient, greener, and less costly digital services. By guaranteeing the safety of email as a communication channel, the government can more effectively deliver these services.
Hopefully this forward-thinking action will jump the gap from public to private sector, and inspire more enterprises to adopt DMARC to help protect their employees, partners and customers from cyber criminals using their trusted domain as an attack vector.