Technology Industry Sets Sights on Bolstering Email Security

October 16, 2018

Cybersecurity Tech Accord joins with the Global Cyber Alliance to promote DMARC to prevent Business Email Compromise


Washington, DC – Today, some of the world’s best-known tech companies committed to support enhanced defensive measures to prevent email-born attacks targeting their employees, customers, and trading partners.

The Cybersecurity Tech Accord– and its 60+ global companies – have partnered with the Global Cyber Alliance (GCA) to promote the wide-scale use of the Domain-based Message Authentication, Reporting & Conformance (DMARC), a solution that prevents email scammers and criminals from “spoofing” legitimate email domains. Based on newly released research from GCA, an organization that deploys DMARC could expect to see up to a 35X ROI.

“The support from the tech community is critically important to the advancement of DMARC and improvement of email security,” said Global Cyber Alliance CEO and President, Philip Reitinger. “The Cybersecurity Tech Accord support comes on the one-year anniversary of the Homeland Security Directive that moved federal agencies to implement DMARC at the highest level. The federal government has been aggressively deploying DMARC, and it is wonderful to see major companies drive adoption as well.”

Following through on their promise to protect users and customers from evolving cyber threats, the Cybersecurity Tech Accord signatories will support GCA in promoting the adoption of the DMARC protocol on a broad scale.

“The Cybersecurity Tech Accord believes that it is vital for DMARC adoption to accelerate across sectors with businesses and governments taking a decisive step to enhance email security. Failing to address this issue exposes internet users everywhere to cyberattacks and the internet more broadly to systemic cybersecurity challenges,” said James Livingston, Vice-President of Sales and Business Development at WISeKey, a Cybersecurity Tech Accord signatory. “That is why we are committed as a group to advancing our email security policies and the adoption of techniques such as DMARC, and we encourage other businesses to do the same with the objective to have a more secure internet ecosystem.”

DMARC’s power in reducing Business Email Compromise (BEC), and providing return on investment (ROI) to companies that deploy it, is demonstrated by new research from GCA.  For the past two years, GCA has focused on the risk of phishing and strongly supported DMARC adoption to empower public and private organizations to defend against malicious emails.  Tens of thousands of domains have been evaluated using the GCA’s tools.

New GCA research shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC tools will save an estimated $19 million to $66 million dollars from limiting BEC for the year of 2018 alone.  These organizations will continue to reap that reward every year in which they maintain the deployment of DMARC. Additional savings over time will be realized so long as DMARC is deployed. If these 1,046 domains maintain DMARC for 10 years, the cumulative savings is likely to exceed $100 million.   (This also assumes that none of the other 19,000 domains that have been tested with the GCA tools will complete a migration and that the cost of BEC will remain stable.)

For a small business or organization that is only managing a handful of domains, the cost of setting up and maintaining DMARC can be very low. Some monthly services range from approximately $20 – $200. Based on the GCA report (which looks at only one impact of one type of potential threat prevented by DMARC) a single domain could realize up to a 35X return on investment from use of DMARC.  In addition, this research is just a snapshot of the potential return on investment of DMARC as the number of domains used in this research is a relatively small and concerns only a single type of threat. DMARC protects against other types of threats delivered by phishing which were not evaluated in this report.  Finally, the more domains that implement DMARC, the easier it is for receivers to be strict, and the greater the cumulative return on investment for everyone.

The Cybersecurity Tech Accord’s commitment comes as the threats from email scams are on the rise. According to data from ValiMail, approximately 6.4 billion fake emails were sent worldwide each day in 2018 – most coming from the United States, with healthcare and government being the most impacted sectors.[1] Research from Agari shows that 96% of the business organizations analyzed had experienced a BEC attack in the last six months, and the average business experienced 45 attacks from June – December 2017.[2]

Businesses are struggling to combat BEC scams. The FBI’s Internet Complaint Center, or IC3, estimated in July that BEC scams have accounted for $12.5 billion[3] dollars in losses around the world the last five years, including $2.9 billion dollars of BEC-related losses here in the US. The deployment of DMARC can significantly reduce an organization’s vulnerability to BEC, as DMARC prevents direct domain spoofing, one of the most difficult to detect forms of phishing, and a powerful tool for BEC.

The GCA implementation guide has helped many businesses create a DMARC policy to protect their brand. DMARC returns significant value. Several governments are now moving to DMARC, and the private sector is strongly supporting deployment of DMARC.  All organizations should make the move to DMARC.

About DMARC

DMARC is an email authentication policy and reporting protocol that helps prevent impersonation attacks via email. It is free and already included on popular email services such as Outlook. However, use of DMARC by government, the private sector and other organizations operating their own email is low, which puts their emails to other businesses and consumers in the crosshairs of threat actors.

DMARC is the first and the only widely deployed technology that helps protects both customers and domain owners. DMARC is a powerful tool that helps protect against phishing attacks, which are the entry weapon of choice for many cyber criminals. DMARC allows:

Domain owners to

  • Signal that they are using email authentication (SPF, DKIM)
  • Provide an email address to gather feedback about messages using their domain – legitimate or not
  • Apply a policy to messages that fail authentication (report, quarantine, reject)

Email receivers to

  • Be certain a given sending domain is using email authentication
  • Consistently evaluate SPF and DKIM along with what the end user sees in their inbox
  • Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks
  • Provide the domain owner with feedback about messages using their domain

About the Cybersecurity Tech Accord

The Cybersecurity Tech Accord is a public commitment among more than 60 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.

About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect.  Learn more at www.globalcyberalliance.org.

 


[1] https://www.valimail.com/blog/6.4-billion-fake-emails-every-day/

[2] https://www.agari.com/business-email-compromise-report/

[3] https://www.ic3.gov/media/2018/180712.aspx