Joerg Habermeier - stock.adobe.c

UK government organisations’ email security lagging

Email security in UK government organisations is lagging far behind that of central government, analysis reveals, with less than a third implementing standard protection

Only 28% of gov.uk domains have been proactive in implementing the domain-based message authentication, reporting and conformance (Dmarc) protocol, a study has revealed.

This finding is in sharp contrast to central government departments, where the majority have implemented Dmarc, according to the National Cyber Security Centre (NCSC).

Dmarc is a key component of the NCSC’s Active Cyber Defence (ACD) initiative, which aims to protect the UK from high-volume commodity attacks.

Once enabled, Dmarc provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender. If an email is from an untrusted source, and Dmarc is fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.

Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cyber security, according to the NCSC. But much of it is preventable by adopting the Dmarc protocol because it helps authenticate an organisation’s communications as genuine by blocking emails pretending to be from government.

Dmarc is also an effective tool for preventing domain impersonation attacks, which are the most common and most harmful kind of phishing attacks.

Lack of preparation leaves door open for phishing attacks

The UK Government Digital Service (GDS) issued guidance advising government organisations to implement the Dmarc email authentication and reporting protocol in preparation for the retirement of the Government Secure Intranet (GSI) platform in March 2019.

Nearly three-quarters of government organisations are not following minimum standard requirements suggested by GDS to authenticate email messages

The GSI has enabled government organisations to communicate securely at low protective levels since 1996, but just weeks before its retirement less than a third of gov.uk domains have enabled Dmarc themselves ahead of the deadline, according to analysis of more than 2,000 email domains by data security company Egress.

This means that nearly three-quarters are not following the minimum standard requirements suggested by GDS to authenticate email messages.

This highlights a lack of preparation by the majority of email administrators at government organisations in readying themselves for the domain migration, which, in effect, leaves domain users open to phishing attacks.

The number of public sector organisations that have not yet set up Dmarc to assure their email network’s ability to withstand phishing attacks is “quite startling” according to Neil Larkins, chief technology officer at Egress.

“With only weeks left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS,” he said.

Further analysis by Egress revealed that of the 28% of government organisations that have set up Dmarc, 53% have the policy set to “do nothing”. This means email buffering and business email compromise (BEC) cannot be prevented for these domains, and spam and phishing messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not.

Any organisation using a default gov.uk Dmarc setting will also not be taking advantage of the “reject email” policy, said Egress. This means less than 14% of organisations are using Dmarc effectively if they want to stop phishing attacks, according to Egress.

Central government shores up email defences effectively

In central government, however, Dmarc has been implemented by the majority of departments, according to the NCSC.

“Our world-leading ACD programme was launched two years ago, but 89% of central government departments have already implemented Dmarc and 95% are using the NCSC’s Mail Check service,” an NCSC spokesperson told Computer Weekly.

“We believe our unique bold and interventionalist approach is making the UK an unattractive target to criminals or nation states”
NCSC spokesperson

The NCSC’s approach has been to focus on the primary domains of central government departments which are the most valuable to phishers, the spokesperson said, adding that gov.uk domains using Mail Check were much more likely to reach a Dmarc policy of “reject” or “quarantine” (blocking) to protect recipients from spoofed email from domains.

The Mail Check service, which is also part of the ACD programme, works by assessing an email server’s configuration and providing guidance on the implementation of various email security protocols, most notably Dmarc.

Government departments with Dmarc that are using Mail Check are blocking 35% more spoofed emails than those not using Mail Check to achieve a more secure Dmarc configuration, according to an NCSC blog post.

“The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment, and it is for organisations to understand their own risk and act accordingly,” said the NCSC spokesperson.

“We are proud that Dmarc is available to organisations and believe our unique bold and interventionalist approach is making the UK an unattractive target to criminals or nation states.”

Read more about Dmarc

Read more on IT risk management