Cybersecurity vendors lag badly on DMARC email security, survey shows
Only 1 in 4 of the cybersecurity companies exhibiting at the celebrated Black Hat conference this week have implemented a set of best practices to prevent email spoofing and phishing, according to figures from the nonprofit Global Cyber Alliance.
In a release Wednesday, GCA said that 73 percent of the 268 exhibitors had not deployed Domain-based Message Authentication, Reporting and Conformance, or DMARC — a set of email protocols that prevents spammers, phishers and other cybercriminals from using an organization’s name and email domain to conduct hacking attacks.
Of the 72 exhibitors using DMARC, only six — just 2 percent — have fully deployed it so that it stops spoofed email from being delivered. Lower level implementations of DMARC warn an organization that their email domain is being spoofed — and can help spoofed mail get blocked by spam filters — but don’t prevent it from being delivered.
“A lot of [security vendors] clearly are not eating their own dog food,” Global Cyber Alliance CTO Andre Ludwig told CyberScoop, referencing an old IT industry saying about the value of a company using its own products.
This is a problem because of the “herd immunity” aspects of DMARC — spoofed email is only blocked if both and receiver have it implemented. Most major free email providers use DMARC, so 85 percent of consumer email inboxes in the U.S. and more than 2.5 billion email inboxes worldwide have it running.
The implementation is visible to those outside the organization and a selection of scanning tools are available to check if a domain has the protocol deployed.
Nonetheless, Ludwig said, GCA had decided not to name names.
“The cyber industry should lead in deployment of solutions. We need to do more than talk the talk; we have to walk the walk,” added CEO Philip Reitinger. “DMARC works. It reinforces trusted relationships with partners, customers and employees. Collectively, we must focus on implementing solutions. If we lead the way, we know others will follow.”
A recent study showed that organizations which employ DMARC get just 23 percent of the email threats that those who don’t use it get. Nonetheless, adoption rates among enterprises and government agencies remain low.
Last week, Sen. Ron Wyden, D-Ore., implored the Department of Homeland Security to mandate the government-wide use of DMARC “to ensure that hackers cannot send emails that impersonate federal agencies.” Last year, the British government directed all its agencies to deploy DMARC.
Black Hat exhibitors are not alone. Only 15 percent of the 587 email domains GCA checked for companies exhibiting at February’s RSA Conference — one of the world’s largest gatherings of cybersecurity experts — use DMARC. Of the 111 RSA exhibiting organizations that do use DMARC, more than 70 percent use the lowest level implementation, which only monitors for malicious email, but doesn’t stop it.