New research from cloud data intelligence company OnDMARC has found that the vast majority of local government bodies in the South East region – including the Isle of Wight Council – are failing to adequately protect their constituents from email fraud originating from government email accounts.
Phishing is one of the most common forms of cyber threat, accounting for 67% of malware attacks on organisations in Q2 2017. Public sector bodies are particularly vulnerable to email impersonation given the nature of their public-facing outreach and were recently advised by GCHQ’s information security arm, the National Cyber Security Centre (NCSC) about the importance of securing their email domains.
However, OnDMARC’s analysis showed that major local authorities in the South East region still lack proper email authentication measures, putting them at risk of major phishing attacks.
NCSC announced new local authority security guidelines in 2016, recommending that authorities implement the email authentication protocol DMARC (Domain-based Mail Authentication and Reporting Conformance), which is globally acknowledged as the only way to guarantee the legitimacy of email ‘from’ addresses. Without DMARC in place, there is no way for a recipient of an email allegedly coming from these local government domains to be sure the sender is legitimate.
Following a thorough examination of the unitary authorities, county and district councils across the South East region, OnDMARC found that only 4 in 19 domains had implemented DMARC, with none of the authorities currently set to block email spoofing entirely.
Randal Pinto, COO and co-founder of OnDMARC has said:
“DMARC is UK Government-backed and seen as a necessity in securing email systems against spoofing, so it’s alarming to see how many local authorities – including those of Portsmouth, Oxfordshire and Reading – may be inadvertently exposing their citizens to the threat of email fraudsters by failing to heed these cybersecurity guidelines.
“DMARC was designed by IT industry heavyweights together in a bid to eradicate email fraud and better protect users so it’s vital that we educate local authorities in the South East about how to implement it and secure their email domain”.
South East authorities yet to implement DMARC in protection mode:
• Bracknell Forest Borough Council
• East Sussex County Council
• Hampshire County Council
• Isle of Wight Council
• Medway Council
• Milton Keynes Council
• Oxfordshire County Council
• Portsmouth City Council
• Reading Borough Council
• Slough Borough Council
• Southampton City Council
• West Berkshire District Council
• West Sussex County Council
• Royal Borough of Windsor and Maidenhead
• Wokingham Town Council
South East authorities that have implemented DMARC in quarantine protection mode:
- Brighton and Hove City Council
- Buckinghamshire County Council
- Kent County Council
- Surrey County Council
“HMRC was able to reduce the threat of phishing by stopping 300 million emails in 2016, and this was simply down to deploying DMARC. It’s high time that cyber defence became a priority at the local council level”.