Nov 29, 2018

It’s time for state and local governments to take on email authentication

state-local-email-security

Statistics show that nearly half of state and local governments experience daily cyberattacks. Such attacks target cities, counties, local utilities, and other critical local infrastructure that fall under the responsibility of state and local governments. Since the majority of attacks start with an email, email authentication should be top of mind for all state and local governments.

But what is email authentication?

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on SPF and DKIM standards to authenticate the sender of an email message. When properly configured, DMARC gives a domain owner complete visibility into all email activity in their domain, along with the ability to specify how to deal with unauthenticated email: either quarantine it for review or delete it before it reaches the inbox.

With a DMARC record configured to enforcement, only authenticated domain users are able to send email. This shuts down impersonation of the domain, blocking unauthorized email from any sender to any recipient.

Federal adoption of email authentication

The federal government has already recognized the damage that can be done without email authentication in place. Binding Operational Directive 18-01 (BOD 18-01), a directive by the Department of Homeland Security (DHS), mandated that all federal agencies adopt and enforce DMARC for all of their domains.

In October 2017, when the directive was issued, only 4 percent of the U.S. government domains were protected from impersonation with a DMARC record at enforcement.  As of October 2018, just a year later, 57 percent of all federal government domains (752 .gov domains in all) are now protected from impersonation.

So why should state and local governments care?

While federal directives do not apply to state and local governments, there are simply too many risks associated with email impersonation (unauthenticated email) to ignore the threat.

91% of cyberattacks start with a phishing email. It is the #1 cyberattack vector.

There are significant monetary losses associated with unauthenticated email. Business email compromise (a subcategory of email fraud) has cost businesses worldwide $12.5 billion since 2013, according to the Federal Bureau of Investigation.

Perhaps more important than the monetary loss is the loss of citizen trust. Cyberattackers impersonate state and local governments because of their inherent authority and trust. A fake email that appears to come from the county assessor is much more likely to get recipients to act than a fake invoice from a system with an unrecognizable name. Taking advantage of that implied trust makes it easy to fool citizens, elected officials, civil servants, and government contractors.

But long term, attacks like this erode confidence in government communications — to the point where some government organizations actually tell citizens that they should never trust any emails that appear to come from them!

Attacks against state and local government entities can be run-of-the-mill ransomware attacks or go as far as politically motivated attacks aimed at undermining, penetrating, or casting doubt on the integrity of election systems. Regardless of the type of attack, with your email unprotected, hackers have a trusted communication medium available to pull them off.

From election security to good old-fashioned fraud, we compiled some of the biggest reasons why all government entities need to consider DMARC-based authentication to reduce email impersonation and phishing. Download our latest white paper, 5 Reasons State and Local Governments Need to Care About Email Authentication, for a deeper dive.

Subscribe to our newsletter