With the escalating number of cyber-attacks that we see hitting the headlines on an almost daily basis I was surprised to see some recent analysis from one of our clients, data privacy and risk management company, Egress.
This analysis found that 72% of gov.uk domains don’t follow UK Government Digital Service (GDS) advice which was put together in preparation for the retirement of the Government Secure Intranet (GSi) platform, which enables connected organisations to communicate electronically and securely at low protective marking levels.
Authenticate email messages – Close the door to phishing attacks
Recent Egress analysis showed that, just weeks before the GSi retirement (31 st of March) only 28% of gov.uk domains had Domain-based Message Authentication, Reporting and Conformance (DMARC) enabled. This means that at the time of the analysis nearly three quarters were not following the minimum standard requirements suggested by the GDS to authenticate email messages.
Egress scanned more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in line with the government’s guidance. The findings reveal a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.
Sensitive data open to cyber-attacks
It’s quite startling to see that not only are there many public sector organisations potentially leaving sensitive data open to a range of cyber-attacks, but that citizen and ‘Official’ level data could potentially be compromised.
Once enabled, DMARC, an email validation system designed to detect and prevent email spoofing, ensures that email senders and recipients can better determine whether or not a given message is from a legitimate sender and what to do if it is not. If this is the latter, email administrators can then decide whether the email should be placed in quarantine or rejected.
Worryingly, of the 28% that have DMARC enabled, 53% have the policy set to ‘do nothing’. This means that email buffering and Business Email Compromise (BEC) can’t be detected or prevented, and spam and phishing messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not.
Safeguard and update your email security
The GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisation’s email service is configured and runs in a secure way. As a minimum, the GDS recommends using the Transport Layer Security (TLS) encryption protocol, and DMARC to encrypt and authenticate email in transit.
The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages. However, they should ensure that whatever product they choose to replace GSi is layered with additional encryption to protect increasingly sensitive data. This is especially important for government organisations sharing data externally, where the security posture of the recipient is unknown.
Disruptive-tech leads global growth
Egress is just one of many C8 clients who focus on developing disruptive-technologies that make corporate and public sector organisations safer, more secure and more efficient in today’s rapidly evolving technology environment. To find out more about our clients, our services, and the compelling campaigns that we deliver please contact Michael Bartley – Deputy Managing Director – michael@c8consulting.co.uk or call 0118 949 7750.