Three-quarters of Government organisations are not fully secure

Thought Leadership

London, UK – March 2019 – People-centric data security company Egress has found that only 28% of gov.uk domains have been proactive in setting up DMARC appropriately, in line with UK Government Digital Service (GDS) advice in preparation for the retirement of the Government Secure Intranet (GSI) platform in March 2019. Since 1996, the GSI framework has enabled connected organisations to communicate electronically and securely at low protective marking levels.

Egress analysis has revealed that, just a few weeks before GSI retirement, only 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC) themselves ahead of the deadline. This means that nearly three-quarters are not following the minimum standard requirements suggested by GDS to authenticate email messages.

The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.

Egress analysed more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in-line with the government’s guidance.

Neil Larkins, CTO of Egress, comments: “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.”

Once enabled, DMARC, provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender. If an email is from an untrusted source, and with DMARC fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.

Worryingly, of the 28% that have set up DMARC themselves, 53% have the policy set to ‘do nothing’. This means that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains, and spam and phishing messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not. Any organisations defaulting to a default gov.uk DMARC setting will also not be taking advantage of the ‘reject email’ policy, so this means that ultimately, fewer than 14% of organisations are using DMARC effectively if they want to stop phishing attacks.

GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisations’ email service is configured and runs in a secure way. As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.

“The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages. However, as with many complex organisations, Government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox. This is especially important for government organisations sharing data externally, where the security posture of the recipient is often unknown.”

For media enquiries, please contact:

Michael Bartley, C8 Consulting for Egress

michael@c8consulting.co.uk

+44 (0) 1189 497 750 / +44 (0) 7920 709749

For more information about Egress, please contact:

Rebecca Bailey, Marketing and communications

+44 (0) 207 624 8500

rebecca.bailey@egress.com

About Egress

Our mission is to eliminate the greatest risk to every business – the insider threat. To achieve this Egress has built the world’s only Human Layer Security platform that empowers your people to remain secure while being highly productive.

Using patented contextual machine learning, Egress is trusted by the world's biggest brands to prevent human error and protect against malicious or reckless behaviour on email without any administrative overhead. Funded by FTV Capital and Albion VC, Egress is headquartered in London with offices in Toronto and Boston.

Related Thought Leadership content