By Shehzad Mirza
GCA published statistics in February 2017 regarding the utilization of DMARC amongst the companies exhibiting at RSA Conference in San Francisco. The results were alarming, and honestly, disappointing:
Only 15 percent of the 587 email domains (that were scanned) for companies exhibiting at the RSA Conference — one of the world’s largest gatherings of cyber security experts — use DMARC. Of the 90 RSA exhibiting organizations that do use DMARC, more than 66 percent use the DMARC policy of “none,” which only monitors for email domains, greatly reducing the effectiveness of DMARC. The DMARC policy of “none” is a starting point in confirming that the configuration is correct before moving to a higher DMARC policy level.
A little over a year has passed, and GCA’s follow-up research indicates that the number of companies exhibiting at RSA Conference using DMARC increased only by eleven percent – 153 companies. Of those 153, 74 percent are using the DMARC policy of “none.” There was very little movement to the enforcement levels of quarantine and reject.
It goes without saying, but we’ll say it anyway, this is still disappointing. Credit goes to those companies that have made efforts to better protect themselves and their customers, but it’s still not enough. Every large breach reported in the news is hailed as a “wake up call.” Yet, nothing really seems to change. And it’s not just the security industry, it’s in many other sectors as well. But those results are a topic of another blog.
Folks, we need to Do Something. The theme for RSA Conference is “Now Matters,” and we couldn’t agree more! At GCA, we’ll continue to Do Something AND Measure It, as is our mantra…but the next time we follow-up on our research, we’d love to be able to say that InfoSec took a more prominent leadership role to improve our global cyber ecosystem.
The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.