Rollout of DMARC email security protocol needs to gain steam

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Trust, from both customers and investors, is the most important currency for financial services companies. A breach of trust can break a bank, while maintaining trust leads to long-term success. At its core, financial services customers expect their banking institutions to protect their money and their information. And it starts with the most basic of 21st century communications – email. So how are the globe’s leading financial institutions doing?

DMARC email security protocol

The good news is that the five largest banks in the U.S. are deploying the Domain-based Message Authentication, Reporting & Conformance (DMARC) email security protocol to prevent their brands from being hijacked and protect consumers from data theft, according to a new study from the Global Cyber Alliance (GCA).

However, there is still much more work to be done.

DMARC deployment around the world

Only 11 of the top 50 U.S. banks and just 9 of the 50 largest European banks have deployed DMARC to block spoofed emails or have them marked as spam. Further, NONE of the 50 fastest growing independent banks in the U.S. use DMARC at all.

An additional 22 banks out of the top 50 in the U.S. and 10 out of the top 50 in Europe have not fully deployed DMARC, preventing those organizations from gaining the benefits of DMARC. Reasons for this can vary, including that a bank is only beginning the process of DMARC implementation.

“We have tested and used DMARC in monitoring mode and are moving into “reject” mode to protect the more than 60 million emails we distribute monthly,” said Troels Oerting, Group Chief Security Officer, Group CISO for Barclays Plc. “We need more companies to deploy DMARC to strengthen the ecosystem. I call on my peers across the financial sector and other industries to implement DMARC as part of email security and anti-phishing efforts.”

Banks and DMARC

Banks that deploy DMARC can stop spammers and phishers from using an organization’s name to trick unsuspecting customers and conduct cyber attacks. DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide.

“At U.S. Bank, we work to earn the trust of customers every day,” said Jenny Menna, Senior Vice President and Cybersecurity Partnership Executive at U.S. Bank. “U.S. Bank utilizes DMARC, and I always recommend that our clients consider implementing DMARC to protect their brand and their clients.”

“DMARC prevents the hijacking of a company’s brand, protecting its reputation and its relationships with customers and investors,” said Philip Reitinger, President and CEO of GCA. “DMARC is proven, and it is free. Deployment is quite simple for many small and medium-size organizations, and reasonable for large organizations especially given the significant return on investment. If a customer can’t trust your email correspondence, they will be looking elsewhere rather quickly.”