DMARC ADOPTION AMONG

Similar documents
DMARC ADOPTION AMONG

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG e-retailers

DMARC ADOPTION AMONG e-retailers

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check

Communicator. Branded Sending Domain July Branded Sending Domain

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

DMARC Continuing to enable trust between brand owners and receivers

Building a Resilient Security Posture for Effective Breach Prevention

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

REPORT. proofpoint.com

2015 Online Trust Audit & Honor Roll Methodology

AT&T Endpoint Security

Office 365: Secure configuration

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Modern Database Architectures Demand Modern Data Security Measures

Evolution of Spear Phishing. White Paper

Department of Management Services REQUEST FOR INFORMATION

GDPR drives compliance to top of security project list for 2018

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

Trustwave SEG Cloud BEC Fraud Detection Basics

Agari Global DMARC Adoption Report: Open Season for Phishers

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

Uncovering the Risk of SAP Cyber Breaches

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

UK Healthcare: DMARC Adoption Report Security in Critical Condition

THE CYBERSECURITY LITERACY CONFIDENCE GAP

GDPR: An Opportunity to Transform Your Security Operations

Securing Your Digital Transformation

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Angela McKay Director, Government Security Policy and Strategy Microsoft

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

A Buyer s Guide to DMARC

2015 Online Trust Audit & Honor Roll Review June 23, All rights reserved. Online Trust Alliance (OTA) Slide 1

The Convergence of Security and Compliance

End-to-End Measurements of Spoofing Attacks. Hang Hu, Gang Wang Computer Science, Virginia Tech

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

An Executive s FAQ About Authentication

THE CLOUD SECURITY CHALLENGE:

MY CERTIFICATION HELPED ME GET HERE. MY MEMBERSHIP HELPS KEEP ME HERE.

ISACA International Perspective

Putting security first for critical online brand assets. cscdigitalbrand.services

ISACA MOSCOW CHAPTER Chapter meeting 22 September 2016

2015 VORMETRIC INSIDER THREAT REPORT

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cyber Risk Market Survey 2019 Sneak Preview

Plan Your International Career in Digital Marketing with Our Guidance

Cybersecurity The Evolving Landscape

Building a Threat Intelligence Program

THE POWER OF TECH-SAVVY BOARDS:

Building Resilience in a Digital Enterprise

building an effective action plan for the Department of Homeland Security

Cybersecurity. Securely enabling transformation and change

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

A Global Look at IT Audit Best Practices

Defending Our Digital Density.

THALES DATA THREAT REPORT

Security by Any Other Name:

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Is Your Marketing Trustworthy? Best Practices & Findings from Auditing 200 Top Retailers. December 13, 2017

MESSAGING SECURITY GATEWAY. Solution overview

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Securing, Protecting, and Managing the Flow of Corporate Communications

The State of Cloud Monitoring

CYBERSECURITY AND THE MIDDLE MARKET

ISE Canada Executive Forum and Awards

To Audit Your IAM Program

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

2017 Annual Meeting of Members and Board of Directors Meeting

Driving Global Resilience

OTA Strategic Update Building & Amplifying April 5, 2017

Vulnerability Management Trends In APAC

CISO as Change Agent: Getting to Yes

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Defensible and Beyond

2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

Security Communications and Awareness

The Cost of Denial-of-Services Attacks

European Union Agency for Network and Information Security

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Single Sign-On. Introduction

2016 SPONSORSHIP OPPORTUNITIES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Transcription:

DMARC ADOPTION AMONG Top US Colleges and Universities Q1 2018 Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

TABLE OF CONTENTS Introduction... 03 Research Overview... 04 Top US Colleges and Universities... 05 Takeaways... 06 Top 6 Recommendations... 07 About... 09 2

INTRODUCTION 250ok, a leader in advanced email analytics for DMARC, deliverability, design and engagement, recently developed a series of DMARC adoption reports for a variety of global industries. Domain-based Message Authentication, Reporting & Conformance (DMARC) is a sender-published policy for messages that fail authentication. By deploying and monitoring DMARC, institutions lower the likelihood their domains are spoofed and used for phishing attacks on students, parents, and employees, among other recipients. Implementing protections across institutions domains provides a critical first-step in deterring malicious emails. As data protection, online security, and brand trust become more important discussions for the general public, 250ok determined a need to identify which industries and institutions are doing the most, or least, to protect their stakeholders. A 2017 study from the Anti-Phishing Working Group reported an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91% of all cyber attacks begin with a phishing email. Although most of today s consumers are aware of phishing attacks, two in five US consumers fell victim to an online phishing attack, according to a 2017 Cyber Monday phishing survey by DomainTools. 3

RESEARCH OVERVIEW On February 12, 2018, 250ok conducted an analysis of 3,614 top-level domains controlled by accredited US colleges and universities. The scope of this study focused on the adoption of DMARC, an email authentication, policy, and reporting protocol that helps businesses prevent spoofing of their domains (e.g., www. college.edu). It is worth noting a meaningful number of institutions likely use a subdomain for some of their messaging (e.g., college.edu is a root domain; mail.college.edu is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomain as they will automatically inherit the DMARC policy of the root domain. 4

TOP US COLLEGES AND UNIVERSITIES DMARC Adoption 9.8% 1.0% 0.4% FIGURE 1 DMARC Adoption by Top US Colleges & Universities Legend n=3,614 domains Domains w/ No DMARC None Policy - good Quarantine Policy - better Reject Policy - best 88.8% Almost 90% (3,211) of top-level.edu domains lack the most basic DMARC policy, which leaves students, parents, alumni, and employees at risk of phishing attacks. 11.2% (403) of all.edu domains reviewed had a DMARC policy in place. Only.4% (14) of the.edu domains reviewed were at a reject policy, the gold standard for DMARC. 5

TAKEAWAYS The analysis revealed domains controlled by US higher education institutions indexed lower in their adoption of a DMARC policy (11.2%) when compared to top US and EU retailers (15.8%) and significantly lower than technology companies listed in the SaaS 1000 (35%). Less than 1% of all US institutions had the gold standard DMARC policy in place. Almost 90% of colleges and universities in the US have zero DMARC protection in place. 6

TOP 6 RECOMMENDATIONS FOR PROTECTING.EDU EMAIL PROGRAMS Properly setting up email authentication and deploying a DMARC policy on all actively operated domains are mandatory tasks for colleges and universities wanting to protect their brand, customers, and employees from phishing attacks. Recommendations: 1 Implement both SPF and DKIM for all domains; however, if DKIM is further out on your road map, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all. 2 Publish a DMARC record for all domains, whether you send mail from them or not. Deploying a DMARC none policy (p=none) is a perfectly fine starting point. It s a great step to get used to the DMARC data and begin the process of evaluating the length and complexity of your DMARC journey. 3 Find a DMARC software solution that will help you quickly interpret the large amounts of DMARC data you will receive and guide you through the process of getting to a reject policy for your domains responsibly. 7

TOP 6 RECOMMENDATIONS FOR PROTECTING.EDU EMAIL PROGRAMS 4 If you do not have email authentication expertise or resources that can manage the process of getting to reject for your domains, engage with a consultant who can guide you through the process and expedite your timeline to achieving a reject policy for your domains. 5 For domains non-sending and defensively registered domains, publish a DMARC with reject policy. It is a quick win to start protecting your brand by locking down these assets that should never be sending mail. 6 Now that you are seeing reporting on all of your domains and you have expertise overseeing the project, build your DMARC plan. Responsibly move to a quarantine policy (p=quarantine) and, eventually, a reject policy (p=reject). The key here is responsibly. Different businesses will have different journeys. In many cases, top-level (root) domains have a complex ecosystem of internal systems and third parties that use the domain, which impacts the timeline for deploying a DMARC reject policy responsibly. For more information on how 250ok DMARC software and services can help you responsibly deploy DMARC on your domains, contact us. 8

ABOUT Matthew Vernhout (CIPP/C) Director of Privacy, 250ok Matthew Vernhout is the Director of Privacy at 250ok and is a Certified International Privacy Professional (Canada) with nearly two decades of experience in email marketing. He actively shares his expertise on industry trends, serving as director at large of the Coalition Against Unsolicited Commercial Email (CAUCE), chair of The Email Experience Council s (EEC) Advocacy Subcommittee, and senior administrator of the Email Marketing Gurus group. He is a trusted industry thought-leader, speaking frequently at email marketing and technology conferences around the globe, and maintaining his celebrated blog, EmailKarma.net. Matthew has contributed to several benchmark publications during his career including DMARC Adoptions Among e-retailers, The EEC s Global Email Marketing Compliance Guide, The Impact of CASL on Email Marketing, and more. 250ok focuses on advanced email analytics, insight and deliverability technology to power a large and growing number of enterprise email programs ranging from clients like Adobe, Marketo, and Furniture Row who depend on 250ok to cut through big data noise and provide actionable, real-time analytics to maximize email performance. For more information, visit 250ok.com. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback