The US Department of Homeland Security (DHS) recently announced a new policy requiring that all federal agencies implement a DMARC policy to protect their email domains. This policy shows that DHS is officially recognizing a known truth in the security industry: email is the number one channel exploited by fraudsters to spread malicious attacks, and the channel must be protected.
A survey in August 2017 showed that only 135 out of 1,315 federal email domains were protected by a DMARC policy. What’s more, fewer than half of those had fully implemented DMARC and remained at the lowest level of implementation, a p=none policy. This means that the majority of federal agencies in the US were leaving themselves open to or not fully protected from the most dangerous forms of fraud, including trojans, business email compromise, ransomware, and more. The new regulation from DHS gives agencies 90 days to deploy a DMARC policy, which will prevent criminals from sending spoofed emails to or within the agencies.
While this is a significant move towards increasing digital protection of government agencies and communications, it is not unprecedented. In September 2016, the UK government put out a similar mandate requiring government agencies to implement the strongest DMARC policy (p=reject) within a short time frame in a similar move to increase security.
The government is taking a big step to recognize the importance of creating policies that protect the confidentiality and privacy of government agencies and the civilians associated with those agencies. Requiring the use of DMARC will help the government to thwart cyber-attackers looking to gain access to sensitive data and use it in ways that can harm government agencies and civilians. This reflects the message that Easy Solutions has consistently put out over the past years – financial institutions and organizations that manage sensitive information must take proactive steps to protect that information from being compromised. A DMARC email authentication policy prevents attackers from infiltrating an organization through its email channels, ensuring that company and user data remains safe. Now that the US government has officially recognized this, I have high hopes that other governments and industries around the world will not be too far behind.
To learn more about DMARC, take a look at our previous blog post on how to successfully implement a DMARC policy.