The majority of leading German companies lack basic email security precautions. This poses a danger for customers, partners and employees, as they could quickly become victims.
Proofpoint, Inc. today published a new study on the topic of email security for German companies. It shows that 65 percent of the 40 largest German companies do not actively protect their employees, customers and partners from email fraud. This is the result of an analysis of the level of implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) among DAX40 companies.
Lack of protection through DMARC sender authentication
DMARC is an email validation protocol designed to protect domain names from misuse by cybercriminals. DMARC can be used to authenticate the sender's identity before a message is delivered. DMARC has three security levels: Monitor, Quarantine and Reject, with Reject being the safest option to prevent suspicious emails from reaching the inbox.
The protocol also makes it more difficult for cybercriminals to abuse brand domains and thus a brand's reputation for email attacks on other companies and consumers. Proofpoint's current analysis found that only 14 of the 40 (35%) largest German companies have implemented the DMARC guidelines to protect email communications based on the most secure level (Reject). This means that 65 percent do not proactively prevent fraudulent emails from reaching their customers, partners and employees. The majority (88%) of the DAX40 companies analyzed by Proofpoint use DMARC basic protection. As a result, 12 percent open the door to domain misuse and consumer email fraud.
Attacks most often begin when an email is opened
“The fact that so many companies – even large ones – are not implementing DMARC at the required level is extremely concerning,” commented Bert Skaletski, Resident CISO, DACH at Proofpoint. “IT security incidents repeatedly make headlines, sometimes paralyzing companies for days. In the vast majority of cases, these incidents begin with an email that an employee opens because, for example, he or she knows the sender's name. Without DMARC implementation, it is easy for cybercriminals to spoof a well-known company’s email address, putting customers or partners at risk.”
“The fact that the top 40 German companies do not take proactive measures to secure their email communication is a deep reflection. Especially when you consider that Bitkom expects to spend 2023 billion euros on IT security in Germany in 8,5. As long as a measure as fundamental as the introduction of DMARC is not implemented, even the largest investments will not significantly improve IT security in German companies,” emphasizes Skaletski.
Cybercriminals abuse well-known brand names
This poor implementation of DMARC authentication provides cybercriminals with the opportunity to exploit well-known brands in their attacks. With this in mind, it is particularly concerning that, according to a global Proofpoint study, almost half (44 percent) of respondents said that an email is safe if it contains a well-known brand name. Additionally, 63 percent assume that an email address always matches the brand's corresponding website. This lack of security awareness combined with companies' lack of or poor DMARC implementation creates a dangerous combination.
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.