Over 100 English local councils are contravening government guidelines and exposing users to the risk of email scams by failing to implement the DMARC protocol, new research has found.
Cybersecurity firm OnDMARC appraised 152 local authorities in England and found only 16% had implemented the email authentication system. That leaves a staggering 128 non-compliant.
Compliance was even lower in the East Midlands (11%) and London (15%), while the North East fared slightly better (17%).
This is despite an order from the Cabinet Office last year requiring all services operating under the service.gov.uk domain to adopt DMARC and HTTPS/HSTS by October 1 2016.
This was followed in June this year by guidance from the National Cyber Security Centre (NCSC) which included DMARC as part of “four simple and free measures for government departments to improve basic cyber security.”
It explained the following:
“The most common way of introducing malware into victims’ systems are email spoofing and spear-phishing where emails are tailored to increase the likelihood of the recipient clicking on a malicious link. Through this attackers steal credentials, making identity fraud and theft easier. The NCSC, together with GDS, have been advocating the use of the DMARC protocol which makes email spoofing much harder.”
The NCSC claimed that by the end of March, 613 .gov domains were registered with the service, up 35% on January.
However, OnDMARC’s research proves there’s still some way to go when it comes to local government.
Phishing is an increasingly popular way for attackers to spread malware and harvest log-ins for use in information-stealing attacks.
It was present in a fifth (21%) of attacks in 2016, up from just 8% the previous year, according to the latest Verizon Data Breach Investigations Report.
OnDMARC argued that while the guidance on email security for central government is unequivocal, it’s not so clear for local government.
“It's advisable for all local authorities to implement DMARC to secure themselves against the threat of email spoofing, however we'd also call on the government to clarify its language and adopt a clear position on DMARC implementation,” the firm told Infosecurity.