Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search


Lack Of DMARC Implementation Puts Government Agencies And Companies At Risk

Research by email security provider SMX has shown that New Zealand businesses and government agencies remain vulnerable to email attacks using spoofed email addresses thanks to the low uptake or incorrect implementation of DMARC (Domain-based Message Authentication Reporting and Conformance).

As modern email gateway solutions have tackled the bulk of malicious emails, cyber criminals have become more sophisticated in their approaches, marrying clever facsimiles of genuine emails with domain spoofing so that the email appears to originate from the business or individual it claims to represent. Even users aware of email security issues can be fooled by the appearance of a legitimate sender address, leading the victim to either click on a malicious attachment or respond to the request contained within.

According to CERT NZ, financial losses due to scam and fraud totalled $14.5 million in 2019, with 87% of that being due to email fraud. There was a 25% increase in phishing and credential harvesting incidents compared to 2018. Ransomware attacks, which are typically launched via email, are particularly threatening, with CERT NZ reporting last year that 70% of the ransomware attacks reported to the agency since it was set up led to some form of loss for the victim. Apart from the financial losses, organisations exposed user data and suffered reputational damage as a result.

A key part of the solution to this problem has existed since 2015. DMARC, when properly implemented, filters incoming email and verifies whether an email was sent by the purported sender. The result is that no matter how well constructed the impersonation of a company or individual is, the email filtering program is able to detect and reject the malicious email.

SMX co-founder and email evangelist, Thom Hooker, says that despite the security advantage DMARC offers, uptake of it remains low across both business and government in New Zealand.

“We recently surveyed organisations utilising DMARC across the region. We found that while one third of the top 100 New Zealand companies have some form of DMARC record many of those were either still at the experimental phase or even worse had misconfigured records. Only 8% could be said to have a solid DMARC implementation.”

“The story within government agencies, where a huge amount of personal and business data resides, was worse. We looked at the DNS records of all 372 NZ government agencies. While we found 74 agencies have some form of DMARC record we saw large numbers of misconfigured or invalid records amongst them. Of the 74 agencies with some form of DMARC only 12 are configured to reject email, with another five configured to quarantine emails that breach their policy.”

“Australian Federal agencies are only slightly ahead of New Zealand. Of 187 agencies 103 have some form of DMARC record although only 32 (17%) have a record in enforcement mode (with most set to reject and there aren’t misconfigured records). 71 (37%) have DMARC but are effectively taking no action (including no reporting) while 84 (44%) have no record at all.”

Hooker says this poor DMARC uptake continues to put businesses and individuals at risk of financial or data loss while government agencies run the risk of exposing personal data due to a privacy breach originating from an email scam.

“Given how much personal data is stored digitally with government agencies, each agency has a duty to take all appropriate measures to protect that data. Our research shows that while a small number of government agencies clearly understand the risks and have implemented DMARC, many either do not or have been slow in adopting DMARC.”

“I think part of the problem is that people assume email is insecure and that there isn’t a way they can stop this type of spoofing attack beyond good vigilance and standard email filtering tools. But DMARC fundamentally changes that situation, providing organisations with a technical solution that lets them establish the legitimacy of an email beyond doubt and reject or quarantine accordingly.”

“The other issue is that many of those who have gone down the DMARC path have either failed to implement it fully or have made mistakes in doing so, both of which can lead them to underestimate the value it provides. There clearly is a need for more education in the market.”

Hooker says DMARC should be a de facto part of any organisation’s security approach and its global uptake is vital to helping fight email-based cyber threats.

“Email has been around for 40 years and despite various attempts to replace it, it’s unlikely to go away any time soon. It has become a more sophisticated tool as it’s evolved to meet changing demands and DMARC is one of the most significant evolutions in that history. It’s time more organisations made use of it to protect themselves and their customers.”

© Scoop Media

Business Headlines | Sci-Tech Headlines


Reserve Bank: Further Easing In Monetary Policy Delivered

Tēnā koutou katoa, welcome all. The Monetary Policy Committee agreed to expand the Large Scale Asset Purchase (LSAP) programme up to $100 billion so as to further lower retail interest rates in order to achieve its remit. The eligible assets remain ... More>>

Retail: Post-Lockdown Retail Card Spending Picks Up

The rise in retail card spending was boosted by sales of furniture, hardware, and appliances, Stats NZ said today. “For a third consecutive month, card spending on the long-lasting goods (durables) remained at higher levels than last year, after ... More>>

Contact: Business Drops, New Generation On Hold

New Zealand’s second-largest energy company Contact Energy (‘Contact’) released its full year financial results for the 12 months to 30 June 2020 (‘FY20’) this morning. More>>

Mining: OceanaGold Announces Receipt Of WKP Mining Permit

MELBOURNE, Australia, Aug. 6, 2020 /CNW/ - OceanaGold Corporation (TSX: OGC) (ASX: OGC) (the 'Company') is pleased to announce it has received the mining permit for Wharekirauponga ('WKP') on the North Island of New Zealand. ... More>>


Economy: COVID-19 Lockdown Has Widespread Effects On Labour Market

In the June 2020 quarter, the seasonally adjusted unemployment rate fell to 4.0 percent, down from 4.2 percent last quarter, while underutilisation rose, Stats NZ said today. More>>


NZ Post: New Research By NZ Post Shows Online Shopping Grew 105% In Alert Level 3

New research by NZ Post into how the COVID-19 response has impacted the way Kiwis shop online, shows online shopping increased 105%* when the country moved into Alert Level 3, and may have changed the way Kiwis shop permanently. Online spend peaked ... More>>


Antarctica NZ: Ice-Olation

Antarctica New Zealand is gearing up for a much reduced season on the ice this year and a very different deployment to normal! Before they head to one of the remotest places on the planet, all personnel flying south with the New Zealand programme will ... More>>


QV Valuations: July House Price Index Illustrates Market Resilience

According to the July 2020 QV House Price Index (HPI) results out today , property values recorded a marginal increase, up 0.2% over the month. This is somewhat of a turnaround from June, after the national index edged 0.2% lower. More>>


Property: Queenstown Rents Experience Biggest Drop In Seven Years

Rental prices in the Queenstown-Lakes district saw the biggest annual percentage drop in seven years after falling 28 per cent on June last year, according to the latest Trade Me Rental Price Index. Trade Me Property spokesperson Aaron Clancy said ... More>>

Seismology: The Quiet Earth

As many daily activities came to a halt during lockdown, the Earth itself became quiet, probably quieter than it has been since humans developed the technology to listen in. Seismologists have analysed datasets from more than 300 international ... More>>

RNZ: James Shaw Says Kiwibank, Not Ministers Should Decide On Investors

Climate Change Minister James Shaw says Kiwibank's decision to stop doing business with companies dealing in fossil fuels is the right one. More>>


FMA: Kiwis Confident Financial Markets Will Recover From COVID-19, Plan To Increase Investments

Despite the majority (60%) of investors experiencing losses as a result of COVID-19, the outlook on investing remains positive, according to a Financial Markets Authority (FMA) survey. Most Kiwis (71%) were optimistic that the pandemic will pass eventually ... More>>

FIRST Union: Warehouse Using Covid For Cover As Extensive Restructure Makes Everyone Worse Off

(FIRST Union comments on The Warehouse consultation and proposed restructure) 'Unfortunately the Warehouse have done the disappointing thing and used Covid-19 to justify a bunch of operational business decisions that will leave hundreds of workers without jobs ... More>>