Fortune 500 and FTSE 100 Firms Failing on DMARC

Fortune 500 and FTSE 100 Firms Failing on DMARC

Over 90% of the top firms listed in the US, UK and Australia are exposing their customers and partners to phishing and other email-borne threats because they’ve yet to fully adopt the DMARC standard, according to new research.

Security vendor Agari analyzed public DNS records linked to companies on the Fortune 500, FTSE 100 and ASX 100 and found a similar pattern.

Over two-thirds (67%) of Fortune 500 and FTSE 100 firms and nearly three-quarters (73%) of ASX 100 companies have not published any DMARC policy.

Around a quarter in each region have adopted only a minimal DMARC policy that monitors, but doesn’t prevent, domain name spoofing, the report found.

According to the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, the next step up from this minimal monitoring policy is “quarantine”, where unauthenticated messages are automatically moved into the spam folder.

However, this was even less common among Fortune 500 (3%), FTSE 100 (1%) and ASX 100 (1%) firms.

Just 5% of Fortune 500, 6% of FTSE 100 and 3% of ASX 100 companies went for the strongest policy, which blocks any unauthenticated messages completely, according to Agari.

It’s notable that UK firms with a large customer base of consumers are most likely to adopt DMARC.

For example, adoption in pharmaceuticals and finance is 100%, although many are still in “monitor” mode, Agari claimed.

"DMARC is an essential tool that helps prevent spam, phishing and data loss," said Shehzad Mirza, director of operations at non-profit the Global Cyber Alliance. "GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.”

Despite poor take-up in the private sector, DMARC received a boost last September when the UK government mandated that its “Reject” policy be the default for all government emails from October.

The HMRC is one of the most phished organizations in the UK, as it handles tax returns and other highly sensitive data.

Source: Information Security Magazine