email authentication

Category

Posts

By Renée McLaughlin


Estamos muy contentos de anunciar que la guía de configuración de GCA DMARC ya está disponible en español para facilitar una adopción de DMARC más amplia en todo el mundo. Esta es la primera de varias traducciones que la herramienta experimentará en los próximos meses. La guía de instalación pronto estará disponible en francés, alemán, árabe, japonés y mandarín.

Como siempre, agradecemos los comentarios sobre la guía de instalación y su traducción para mejorar la eficacia de la herramienta y su experiencia. Todos los comentarios se pueden enviar a gca-dmarc@globalcyberalliance.org.

 

The author, Renée McLaughlin, is the Director of Digital Media and Editorial at the Global Cyber Alliance. You can follower her on Twitter @RNMc3.

By Mary Kavaney


Last week, alarming statistics were published on the lack of DMARC implementation in the financial sector. While the top 5 banks in the United States have implemented DMARC to protect their organizations and customers, the rest of the research results were not so good. Out of the top 50 banks in the U.S., only 11 use DMARC; out of the top 50 European banks, only 9 utilize the benefits of DMARC; and of the top 50 independent banks in the U.S., none use DMARC!

I have listened to the reasons why organizations have not implemented DMARC: it will prevent valid email from getting through; it’s too complicated and will take too long; they don’t have enough resources. I know; I know all the challenges…but they can be overcome! In the meantime, all sectors are getting hammered, especially finance. In fact, the FS-ISAC feels so strongly about the importance of implementing DMARC, they issued a letter to their membership encouraging its adoption. It will be interesting to see who is really paying attention and willing to follow the lead of their fellow financial services colleagues.

Despite millions of dollars being spent in security and hundreds of thousands of hours by dedicated IT people, the bad guys are still winning, and the battle is being lost. At the FS-ISAC conference last week in Singapore, Ken Chau, Deputy Director for the Monetary Association of Singapore, said 90 percent of the banks in the APAC region experienced a cyber attack in 2016.

Christian Karam, Director of Cyber Threat Intelligence at UBS in Singapore, said at the conference that when he went to UBS, there was such a complicated security apparatus, he decided to take a novel approach and shut down all the feeds and start over.

Wow. Start over.

Depending on the size and complexity of the organization, DMARC can be a time-consuming investment, but perhaps instead of adding to the security queue, we must seriously consider starting over.

Isn’t it time to do things differently? GCA is a huge proponent of DMARC and took on the task of increasing global implementation as its first project. We have partners and resources, and a free tool that can get you started or take you through the whole process. You can learn more at: https://dmarc.globalcyberalliance.org/index.html.

It’s time to rethink, start over, and do things differently.

 

The author, Mary Kavaney, is the Chief Administrative Officer at the Global Cyber Alliance.

This week, the Global Cyber Alliance published its inaugural newsletter featuring everything from our free monthly DMARC Webinars and other DMARC implementation resources and tools, to our latest research on DMARC adoption in the financial sector, to an update on our DNS Infrastructure pilot, to insights from our leadership and community members. We look forward to sharing more resources, information and insights in the months to come.

Please be sure to take a peek by clicking the link below, and tell us what you think. Oh, and of course, please feel free to share!

GCA April 2017 Newsletter

GCA Press Release

NEW YORK, April 3, 2017 – Trust, from both customers and investors, is the most important currency for financial services companies. A breach of trust can break a bank, while maintaining trust leads to long-term success. At its core, financial services customers expect their banking institutions to protect their money and their information. And it starts with the most basic of 21st century communications – email.

So how are the globe’s leading financial institutions doing?

The good news is that the five largest banks in the U.S. are deploying the Domain-based Message Authentication, Reporting & Conformance (DMARC) email security protocol to prevent their brands from being hijacked and protect consumers from data theft, according to a new study from the Global Cyber Alliance (GCA).

However, there is still much more work to be done.

Only 11 of the top 50 U.S. banks and just 9 of the 50 largest European banks have deployed DMARC to block spoofed emails or have them marked as spam.  Further, NONE of the 50 fastest growing independent banks in the U.S. use DMARC at all. An additional 22 banks out of the top 50 in the U.S. and 10 out of the top 50 in Europe have not fully deployed DMARC, preventing those organizations from gaining the benefits of DMARC. Reasons for this can vary, including that a bank is only beginning the process of DMARC implementation.

“We have tested and used DMARC in monitoring mode and are moving into “reject” mode to protect the more than 60 million emails we distribute monthly,” said Troels Oerting, Group Chief Security Officer, Group CISO for Barclays Plc. “We need more companies to deploy DMARC to strengthen the ecosystem.  I call on my peers across the financial sector and other industries to implement DMARC as part of email security and anti-phishing efforts.”

Banks that deploy DMARC can stop spammers and phishers from using an organization’s name to trick unsuspecting customers and conduct cyber attacks. DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide.

“At U.S. Bank, we work to earn the trust of customers every day,” said Jenny Menna, Senior Vice President and Cybersecurity Partnership Executive at U.S. Bank. “U.S. Bank utilizes DMARC, and I always recommend that our clients consider implementing DMARC to protect their brand and their clients.”

“DMARC is a critical protection against spear-phishing emails and other email-born phishing attacks,” said Freddy Dezeure, head of the Computer Emergency Response Team for the European Union (CERT-EU). “We strongly recommend that every organization implement it to protect their businesses, employees and customers.”

“DMARC prevents the hijacking of a company’s brand, protecting its reputation and its relationships with customers and investors,” said Philip Reitinger, President and CEO of GCA. “DMARC is proven, and it is free. Deployment is quite simple for many small and medium-size organizations, and reasonable for large organizations especially given the significant return on investment. If a customer can’t trust your email correspondence, they will be looking elsewhere rather quickly.”

GCA now offers a DMARC Setup Guide that will take network security professionals step-by-step through the entire DMARC installation process at https://dmarc.globalcyberalliance.org.

 

About The Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.

GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.

CyberScoop logo
GCA Press Release

Expansion of DMARC Critical to Reducing

Spread of Malicious Emails


SAN FRANCISCO, February 14, 2017 – There is a fix that can prevent a great amount of email-born attacks on consumers and businesses. Unfortunately, the vast majority of public and private organizations globally, including leading cyber security companies, have not deployed DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent spammers and phishers from using an organization’s name to conduct cyber attacks, according to new research from the Global Cyber Alliance (GCA).

DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide. However, DMARC adoption rates among enterprises and government remains low.

The UK Government’s guidance for government agencies directs them to implement DMARC[i] but as of December 2016 only five percent of UK public sector domains[ii] had done so. A mere 16 percent of the healthcare sector has adopted DMARC.

The latest research from GCA, an international cross-sector organization dedicated to confronting systemic cyber risk, finds that adoption remains low in the cyber security industry as well.

Only 15 percent of the 587 email domains (that were scanned) for companies exhibiting at the RSA Conference — one of the world’s largest gatherings of cyber security experts — use DMARC. Of the 90 RSA exhibiting organizations that do use DMARC, more than 66 percent use the DMARC policy of “none,” which only monitors for email domains, greatly reducing the effectiveness of DMARC.

It is time for the cyber security industry to lead the charge and push for DMARC use across the globe. GCA strongly advocates that organizations implement DMARC and has developed a free DMARC Setup Guide to make DMARC implementation easier (https://dmarc.globalcyberalliance.org/).

The value of correctly implementing DMARC is clear as studies[iii] have shown that organizations that use DMARC correctly receive just 23 percent of the email threats that those who do not use DMARC.

“As world leaders in cybersecurity, we can do better. DMARC protects brands and preserves consumer confidence.  While no security effort is cost-free, clear guidance and tools, such as the GCA DMARC Setup Guide, make DMARC implementation practical, and the benefits are considerable. DMARC is one of the cyber security protocols that can broadly reduce risk, and the more it is implemented, the more protection if offers for everyone,” said Philip Reitinger, President and CEO of GCA. “I’m placing a stake in the ground and calling on the cyber security industry to lead the adoption of DMARC, with a goal that 50 percent of the companies that exhibit at the 2018 RSA Conference implement DMARC prior to the conference, and that 90 percent implement prior to the 2019 RSA Conference. Working together the cyber security industry can be a role model and make a difference.”

 

About The Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.

GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.


[i] https://www.gov.uk/guidance/set-up-government-email-services-securely

[ii] https://www.ncsc.gov.uk/blog-post/making-email-mean-something-again

[iii] https://www.helpnetsecurity.com/2017/02/01/phishing-display-name-spoofs/