Research from the Global Cyber Alliance says that only one of the largest federal IT contractors has fully implemented DMARC to protect against email phishing and spoofing.
The Global Cyber Alliance examined 50 of the top IT contractors to the U.S., and found that only one was using DMARC, the email validation security, at its highest level.
DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.
Last year, DHS mandated that all federal agencies implement DMARC and, according to the GCA, by not following suit government contractors could be putting federal information at risk.
“Threat actors don’t quit when they see an obstacle; they simply look for another way in. DMARC adds a layer of protection for email, and we applaud DHS’s move to ensure implementation of DMARC for federal agencies,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “Government contractors should also shore up their defenses and adopt DMARC to protect their government and other clients with whom they exchange email. We know that the vast majority of attacks start with a phishing email. DMARC should be an operational standard to reduce risk.”
The research also found that of the 50 contractors, selected as the largest federal contractors by Washington Technology, over half had not implemented DMARC at all. GCA has published three separate lists looking at the implementation of DMARC — the other two examined banks and hospitals — and of the three, government contractors fared worst of all.
“Leaders in the U.S. and U.K. are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency,” Reitinger said. “The leading U.S. IT contractors should take similar steps to secure the government and citizens.”