Now Available: Small and Midsize Business Cybersecurity Survey

An industry-government partnership is conducting a survey on cybersecurity issues in the small and midsized business (SMB) community and would most welcome your organization’s participation.

The survey focuses on companies’ awareness and use of the Cybersecurity Framework (Framework), which was led by the National Institute of Standards and Technology.

The Information Technology Sector Coordinating Council and the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is conducting this research to inform development of cybersecurity information to support SMBs.

The voluntary survey addresses companies’ familiarity with the Framework, their perceptions regarding potential barriers to using the Framework, their concerns related to cybersecurity, as well as how those concerns rank relative to other business priorities. It also seeks companies’ suggestions for strengthening the overall cybersecurity posture of SMBs.

The survey data will be collected and anonymized by ACT: The App Association. No confidential or identifiable data will be published or shared with DHS in any capacity. The survey is open for the entire SMB community to participate.

To access the survey, please click here or visit https://www.surveymonkey.com/r/NXBCNQH. The survey should only take 30 minutes. Questions marked with an asterisk (*) are required. You can only take the survey once, but you can edit your responses until the survey is closed on November 11th .

If you have any questions about the survey, please email the industry chair, Mr. Brian Scarpelli at BScarpelli@actonline.org.

“I’ve been able to make the same prediction about cyber security ever since I started in it in 1995. Back then, I could have sat before you and said, ‘next year, things will be worse.’ That is true every year until now.”

IACD Automate recently hosted Integrated Cyber May 2019 where GCA’s President and CEO, Phil Reitinger, was a keynote speaker. He opened up his session with the quote above, and he believes cyber security will continue to worsen because our strategy is not working. “We do not have an approach that addresses the challenges of the internet,” he tells the audience.

Reitinger believes there are two interrelated problems that are causing these cyber difficulties: scale and complexity.

Watch the full keynote below to see all that our CEO has to say on cyber security, scale and complexity.


Cybersecurity Tech Accord joins with the Global Cyber Alliance to promote DMARC to prevent Business Email Compromise

Washington, DC – Today, some of the world’s best-known tech companies committed to support enhanced defensive measures to prevent email-born attacks targeting their employees, customers, and trading partners.

The Cybersecurity Tech Accord– and its 60+ global companies – have partnered with the Global Cyber Alliance (GCA) to promote the wide-scale use of the Domain-based Message Authentication, Reporting & Conformance (DMARC), a solution that prevents email scammers and criminals from “spoofing” legitimate email domains. Based on newly released research from GCA, an organization that deploys DMARC could expect to see up to a 35X ROI.

“The support from the tech community is critically important to the advancement of DMARC and improvement of email security,” said Global Cyber Alliance CEO and President, Philip Reitinger. “The Cybersecurity Tech Accord support comes on the one-year anniversary of the Homeland Security Directive that moved federal agencies to implement DMARC at the highest level. The federal government has been aggressively deploying DMARC, and it is wonderful to see major companies drive adoption as well.”

Following through on their promise to protect users and customers from evolving cyber threats, the Cybersecurity Tech Accord signatories will support GCA in promoting the adoption of the DMARC protocol on a broad scale.

“The Cybersecurity Tech Accord believes that it is vital for DMARC adoption to accelerate across sectors with businesses and governments taking a decisive step to enhance email security. Failing to address this issue exposes internet users everywhere to cyberattacks and the internet more broadly to systemic cybersecurity challenges,” said James Livingston, Vice-President of Sales and Business Development at WISeKey, a Cybersecurity Tech Accord signatory. “That is why we are committed as a group to advancing our email security policies and the adoption of techniques such as DMARC, and we encourage other businesses to do the same with the objective to have a more secure internet ecosystem.”

DMARC’s power in reducing Business Email Compromise (BEC), and providing return on investment (ROI) to companies that deploy it, is demonstrated by new research from GCA.  For the past two years, GCA has focused on the risk of phishing and strongly supported DMARC adoption to empower public and private organizations to defend against malicious emails.  Tens of thousands of domains have been evaluated using the GCA’s tools.

New GCA research shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC tools will save an estimated $19 million to $66 million dollars from limiting BEC for the year of 2018 alone.  These organizations will continue to reap that reward every year in which they maintain the deployment of DMARC. Additional savings over time will be realized so long as DMARC is deployed. If these 1,046 domains maintain DMARC for 10 years, the cumulative savings is likely to exceed $100 million.   (This also assumes that none of the other 19,000 domains that have been tested with the GCA tools will complete a migration and that the cost of BEC will remain stable.)

For a small business or organization that is only managing a handful of domains, the cost of setting up and maintaining DMARC can be very low. Some monthly services range from approximately $20 – $200. Based on the GCA report (which looks at only one impact of one type of potential threat prevented by DMARC) a single domain could realize up to a 35X return on investment from use of DMARC.  In addition, this research is just a snapshot of the potential return on investment of DMARC as the number of domains used in this research is a relatively small and concerns only a single type of threat. DMARC protects against other types of threats delivered by phishing which were not evaluated in this report.  Finally, the more domains that implement DMARC, the easier it is for receivers to be strict, and the greater the cumulative return on investment for everyone.

The Cybersecurity Tech Accord’s commitment comes as the threats from email scams are on the rise. According to data from ValiMail, approximately 6.4 billion fake emails were sent worldwide each day in 2018 – most coming from the United States, with healthcare and government being the most impacted sectors.[1] Research from Agari shows that 96% of the business organizations analyzed had experienced a BEC attack in the last six months, and the average business experienced 45 attacks from June – December 2017.[2]

Businesses are struggling to combat BEC scams. The FBI’s Internet Complaint Center, or IC3, estimated in July that BEC scams have accounted for $12.5 billion[3] dollars in losses around the world the last five years, including $2.9 billion dollars of BEC-related losses here in the US. The deployment of DMARC can significantly reduce an organization’s vulnerability to BEC, as DMARC prevents direct domain spoofing, one of the most difficult to detect forms of phishing, and a powerful tool for BEC.

The GCA implementation guide has helped many businesses create a DMARC policy to protect their brand. DMARC returns significant value. Several governments are now moving to DMARC, and the private sector is strongly supporting deployment of DMARC.  All organizations should make the move to DMARC.


DMARC is an email authentication policy and reporting protocol that helps prevent impersonation attacks via email. It is free and already included on popular email services such as Outlook. However, use of DMARC by government, the private sector and other organizations operating their own email is low, which puts their emails to other businesses and consumers in the crosshairs of threat actors.

DMARC is the first and the only widely deployed technology that helps protects both customers and domain owners. DMARC is a powerful tool that helps protect against phishing attacks, which are the entry weapon of choice for many cyber criminals. DMARC allows:

Domain owners to

  • Signal that they are using email authentication (SPF, DKIM)
  • Provide an email address to gather feedback about messages using their domain – legitimate or not
  • Apply a policy to messages that fail authentication (report, quarantine, reject)

Email receivers to

  • Be certain a given sending domain is using email authentication
  • Consistently evaluate SPF and DKIM along with what the end user sees in their inbox
  • Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks
  • Provide the domain owner with feedback about messages using their domain

About the Cybersecurity Tech Accord

The Cybersecurity Tech Accord is a public commitment among more than 60 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.

About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect.  Learn more at www.globalcyberalliance.org.


[1] https://www.valimail.com/blog/6.4-billion-fake-emails-every-day/

[2] https://www.agari.com/business-email-compromise-report/

[3] https://www.ic3.gov/media/2018/180712.aspx

Our CEO, Philip Reitinger, discusses how US federal agencies’ progress on DMARC deserves praise.

“Based on the most recent numbers from DHS, reported by FCW, federal agencies will come close to making the Department of Homeland Security’s deadline to implement Domain-Based Message Authentication, Reporting and Conformance tools, or DMARC.”

Click below to read the entire article.

Fed Gov 90 Days to DMARC

The Global Cyber Alliance Provides Free Tools for Agencies to Meet

U.S. Department of Homeland Security Deadline

WASHINGTON, D.C., July 16, 2018 – U.S. federal government agencies have less than 90 days to meet a U.S. Department of Homeland Security (DHS) Binding Operational Directive (BOD) focused on bolstering email and website security for all federal agencies that operate .gov email and website domains. The federal government has made good progress toward fulfilling the directive, with 74% of the domains tested having implemented a DMARC policy, however, less than half of the domains (47%) are at the highest policy level of “reject” – the setting that prevents spoofed email from being delivered to people. Agencies have three more months to meet the requirements of the directive.

By October 16, 2018, all agencies are required to deploy the email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance) at the policy level of “reject” to prevent spammers and phishers from using an organization’s name to conduct cyberattacks.

Since the BOD was issued on October 16, 2017, GCA research has found that more than 600 agency email domains have moved to the most secure “reject” setting for DMARC. In total, 605 domains are set to “reject” and 26 are set at the second-highest security level, “quarantine”. However, half of all federal government email domains (319) have only deployed DMARC at its least secure setting or have not deployed DMARC at all (334).

“DHS has shown tremendous leadership in requiring the deployment of advanced email and web security tools that will protect consumers, government workers and our nation’s critical infrastructure,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “Even with difficulties, agencies should at least have implemented DMARC at its most simple level. It takes little time, does not risk disruption of service, and provides insight on operations and threats.”

GCA has helped organizations implement DMARC with a collection of free resources that include the GCA DMARC Setup Guide, instructional videos, and webinars. Agencies can take advantage of these resources online at www.dmarc.globalcyberalliance.org.

DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of any person with an email address.  According to the 2018 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.

Without DMARC protection, hackers can create emails that appear to be from a trusted source but instead contain malicious links or ask for additional personal information that could be provided by unsuspecting consumers.


About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect.  Learn more at www.globalcyberalliance.org.


Anti-Phishing and Web Surfing Security Tools Deployed Across More Than 200 Countries

London, June 6, 2018 – The Global Cyber Alliance (GCA) announced today several key milestones in its continuing mission to eradicate cyber risk through concrete actions.

The successful Quad9 DNS security service, which protects users from accessing known malicious websites, has grown more than 35-fold since its launch in November 2017, now reaching more than 120 countries and blocking up to 360 million connections to malicious and compromised websites in the past six months.

In addition, more than 22,000 organizations in 166 countries have used the GCA Domain-based Message Authentication, Reporting & Conformance (DMARC) Setup Guide to check their email domain’s phishing security and spoofing security. Nearly 5,000 organizations have deployed DMARC to protect their employees, partners and customers from being tricked by scammers trying to hijack their web domain to steal personal or financial information.

The announcements came following a meeting of GCA’s Strategic Advisory Committee, which comprises executives from more than 40 organizations spanning the finance, health, telecommunications, education, insurance, cybersecurity, technology, and media sectors, as well as government and law enforcement officials from Canada, France, the United Kingdom, and the United States.

“GCA was formed to take collective action to reduce and eradicate cyber risks, and we do this by uniting global communities, implementing concrete solutions, and measuring the effects,” said GCA president and CEO, Phil Reitinger. “We are passionate about helping users access affordable and automatic security solutions, and our progress over the past six months, in collaboration with many dedicated individuals and organizations, inspires us to keep moving forward and tackling new challenges.”

6 months of Quad9

The Quad9 DNS security service, which GCA conceptualized and built with IBM and Packet Clearing House, has scaled quickly since its launch six months ago. The service incorporates multiple threat intelligence feeds and blocks up to two million domain lookups each day, preventing users from connecting to a malicious website. More than a dozen cities were recently added to the service’s network of servers, including Bangkok, Thailand; Vilnius, Lithuania; Columbo, Sri Lanka; Siegerland, Germany; Posadas, Argentina; Luanda, Angola; Kiev, Ukraine; Kuala Lumpur, Malaysia; Enfidha, Tunisia; Harare, Zimbabwe; Lyon, France; and Tallinn, Estonia.

“We selected these regions because our deployment model is specifically designed to push our DNS services out to the very edges of the world in places where most other systems will not or cannot deliver excellent service,” said John Todd, Quad9 executive director. “Everyone should be able to enjoy a base level of security, privacy, and performance on the Internet regardless of location or economic circumstances. The focus as we grow our network footprint is to be in every country and every city in which we can deploy our service, regardless of economic weight, population density, or pre-existing network infrastructure.”

DMARC and Email Security

DMARC (Domain-based Message Authentication, Reporting & Compliance) was developed as a collaborative effort to combat fraudulent email by authenticating the sender of an email. GCA created a Setup Guide that enables world-wide adoption of DMARC, an email authentication standard that helps users protect their email domains from spoofers, spammers and phishing attacks.

The guide has been translated into 17 languages and has been used by more than 13,500 organizations in the past six months. In 2016, the U.K. government mandated that all U.K. government domains enable DMARC. The U.S. government followed suit in late 2017 with the issuance of Binding Operational Directive 18-01, requiring all U.S. federal civilian domains to enable DMARC.

About Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect.  Learn more at www.globalcyberalliance.org.