DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

Similar documents
DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG e-retailers

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG e-retailers

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

UK Healthcare: DMARC Adoption Report Security in Critical Condition

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

DMARC Continuing to enable trust between brand owners and receivers

Office 365: Secure configuration

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

AT&T Endpoint Security

REPORT. proofpoint.com

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check

Agari Global DMARC Adoption Report: Open Season for Phishers

Communicator. Branded Sending Domain July Branded Sending Domain

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

A Buyer s Guide to DMARC

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Update on new Microsoft Cloud Technology

Securing Your Digital Transformation

Building a Resilient Security Posture for Effective Breach Prevention

Putting security first for critical online brand assets. cscdigitalbrand.services

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

Evolution of Spear Phishing. White Paper

Retail Security in a World of Digital Touchpoint Complexity

An Executive s FAQ About Authentication

GDPR: An Opportunity to Transform Your Security Operations

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Phishing in the Age of SaaS

Trustwave SEG Cloud BEC Fraud Detection Basics

Security Communications and Awareness

Table of content. Authentication Domain Subscribers Content Sending practices Conclusion...

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

THE CLOUD SECURITY CHALLENGE:

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

GDPR drives compliance to top of security project list for 2018

Modern Database Architectures Demand Modern Data Security Measures

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

Introducing Cyber Observer

Angela McKay Director, Government Security Policy and Strategy Microsoft

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Vulnerability Management Trends In APAC

Security by Any Other Name:

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

CHALLENGES GOVERNANCE INTEGRATION SECURITY

MESSAGING SECURITY GATEWAY. Solution overview

2015 Online Trust Audit & Honor Roll Methodology

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

THALES DATA THREAT REPORT

Building Resilience in a Digital Enterprise

2017 Annual Meeting of Members and Board of Directors Meeting

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

McAfee Advanced Threat Defense

THE ACCENTURE CYBER DEFENSE SOLUTION

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

building an effective action plan for the Department of Homeland Security

Petroleum Refiner Overhauls Security Infrastructure

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Security Communications and Awareness

SD-WAN. Enabling the Enterprise to Overcome Barriers to Digital Transformation. An IDC InfoBrief Sponsored by Comcast

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

with Advanced Protection

2018 Edition. Security and Compliance for Office 365

Security Protection

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

On the Surface. Security Datasheet. Security Datasheet

Moving from Prevention to Detection March 2017

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Automatic Delivery Setup Guide

2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

TRANSACTIONAL BENCHMARK

Cybersecurity in Government

Run the business. Not the risks.

2018 Report The State of Securing Cloud Workloads

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

SAP PartnerEdge Program Guide for Authorized Resellers

Cyber Risk Market Survey 2019 Sneak Preview

Grow Revenue and Engagement through strategic use of technology and innovation

Skybox Security Vulnerability Management Survey 2012

Securing, Protecting, and Managing the Flow of Corporate Communications

Tripwire State of Container Security Report

Bitdefender GravityZone. Supreme protection against active threats for the SMB market

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Transcription:

DMARC ADOPTION AMONG SaaS 1000 Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

TABLE OF CONTENTS Introduction... 03 Research Overview... 04 SaaS 1000... 05 DMARC Adoption Among SaaS 1000... 05 DMARC Adoption Among Top 20... 06 DMARC Adoption Among Top 100... 07 Top 6 Recommendations... 08 About... 10 2

INTRODUCTION As part of our ongoing research into DMARC adoption, we dived head first into the SaaS 1000 to understand exactly how technology companies use email authentication, including Domain-based Message Authentication, Reporting and Conformance (DMARC), to provide customers and employees a minimum level of protection from phishing attacks. DMARC is an email-validation system designed to detect and prevent email spoofing. A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust as 91% of all cyber attacks begin with a phishing email. Although most of today s consumers are aware of phishing attacks, two in five US consumers have fallen victim to an online phishing attack, according to a 2017 Cyber Monday phishing survey by DomainTools. How do phishing attacks that spoof institutions impact consumer trust in their brand? A study from Cloudmark revealed that 42% of consumers are less likely to do business with a company following receipt of a suspicious messaging purporting to be from that brand. In a survey of French consumers, 90% of respondents stated that they either somewhat or completely distrusted emails coming from brands. By identifying and suppressing malicious mail impersonating brands, some institutions report a correlating double-digit boost in marketing email opens. 3

RESEARCH OVERVIEW On February 13, 2018, 250ok performed an analysis of the top-level domains owned by the top 1000 SaaS businesses looking exclusively for published DMARC records. It is worth noting a meaningful number of companies likely use a subdomain for some of their messaging (e.g., 250ok.com is a root domain; pages.250ok.com is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomain as they will automatically inherit the DMARC records of the root. It is also possible to publish different policies for individual subdomains at either the subdomain level, or at the root domain level with a defined sp= policy. The SaaS 1000 is a list of top SaaS businesses ranked by a combination of factors including employee count growth over the previous six month period and overall employee count. The SaaS 1000 list requires qualifying companies to have a minimum of 40 employees. 4

SAAS 1000 DMARC Adoption Among SaaS 1000 5.2% 4.8% FIGURE 1 DMARC Adoption Among SaaS 1000 25% Legend n=1,000 domains Domains w/ No DMARC None Policy - good Quarantine Policy - better Reject Policy - best 65% Top 20 Companies with DMARC Policy Top 100 Companies with DMARC Policy Top 1000 Companies with DMARC Policy 65% 51% 35% 5

SAAS 1000 DMARC Adoption Among Top 20 Among the top 20 SaaS companies, 65% have a DMARC policy in place. 5% 20% 35% FIGURE 2 DMARC Adoption Among Top 20 by SaaS 1000 Legend n=20 Domains w/ No DMARC None Policy - good Quarantine Policy - better Reject Policy - best 40% 6

SAAS 1000 DMARC Adoption Among Top 100 Among the top 100 SaaS companies, 51% have a DMARC policy in place. 9% 9% FIGURE 3 DMARC Adoption Among Top 100 by SaaS 1000 Legend n=100 49% Domains w/ No DMARC None Policy - good Quarantine Policy - better Reject Policy - best 33% 7

TOP 6 RECOMMENDATIONS FOR PROTECTING SAAS EMAIL PROGRAMS Properly setting up email authentication and deploying a DMARC policy on all actively operated domains are mandatory tasks for SaaS businesses wanting to protect their brand, customers, and employees from phishing attacks, which erode brand trust. Recommendations: 1 Implement both SPF and DKIM for all domains; however, if DKIM is further out on your roadmap, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all. 2 Publish a DMARC record for all domains, whether you send mail from them or not. Deploying a DMARC None policy (p=none) is a perfectly fine starting point. It s a great step to get used to the DMARC data and begin the process of evaluating the length and complexity of your DMARC journey. 3 Find a DMARC software solution that will help you quickly interpret the large amounts of DMARC data you will receive and guide you through the process of getting to a Reject policy for your domains responsibly. 8

TOP 6 RECOMMENDATIONS FOR PROTECTING SAAS EMAIL PROGRAMS 4 If you do not have email authentication expertise or resources that can manage the process of getting to Reject for your domains, engage with a consultant who can guide you through the process and expedite your timeline to achieving a Reject policy for your domains. 5 For domains non-sending and defensively registered domains, publish a DMARC with Reject policy. It is a quick win to start protecting your brand by locking down these assets that should never be sending mail. 6 Now that you are seeing reporting on all of your domains and you have expertise in overseeing the project, build your DMARC plan. Responsibly move to a quarantine policy (p=quarantine) and, eventually, a reject policy (p=reject). The key here is responsibly. Different businesses will have different journeys. In many cases, top-level (root) domains have a complex ecosystem of internal systems and third parties that use the domain, which impacts the timeline for deploying a DMARC Reject policy responsibly. For more information on how 250ok DMARC software and services can help you responsibly deploy DMARC on your domains, contact us. 9

ABOUT Matthew Vernhout (CIPP/C) Director of Privacy, 250ok Matthew is the Director of Privacy at 250ok and a Certified International Privacy Professional (Canada) with more than 17 years of experience in email marketing. In addition to regularly contributing to email-related news articles, he has contributed to several benchmark publications, including The Marketer s Guide to Successful Email Delivery, The eec s Global Email Marketing Compliance Guide, and The Impact of CASL on Email Marketing, among others. Matthew is active in various associations, including serving as director at large of the Coalition Against Unsolicited Commercial Email (CAUCE), The Email Experience Council s Advocacy Subcommittee Chair and Sr. Administrator of the Email Roundtable. 250ok focuses on advanced email analytics, insight and deliverability technology to power a large and growing number of enterprise email programs ranging from clients like Adobe, Marketo, and Furniture Row who depend on 250ok to cut through big data noise and provide actionable, real-time analytics to maximize email performance. For more information, visit 250ok.com. 10

ABOUT SaaS The SaaS 1000 is a list of the top SaaS companies based on a combination of factors including a company s six-month-employee-growth-count and overall employee number. As a result, the list is comprised of a variety of companies, from startup and early stage businesses to established SaaS leaders. The minimum employee-count threshold to qualify for inclusion is 40 employees. Learn more about the SaaS 1000 at saas1000.com. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback