Experts Warn Law Firms To Fully Implement DMARC Protections
Currently, only around 10% of the top 100 law firms use DMARC at its top protective ‘reject’ setting. Cyber security experts are warning that law firms will need to fully embrace Domain-based Message Authentication, Reporting & Conformance (DMARC) as more people using legal services and working with law firms are increasingly demanding that these technologies are used appropriately and consistently in the future.
Clients, regulators, other law firms and third party suppliers are looking for the legal sector to consistently use DMARC as part of their robust cyber security protocols in order to help protect clients, other businesses and the law firm itself from cyber attacks.
DMARC protects an email domain by preventing cyber criminals from spoofing or copying the address and using it in conjunction with social engineering techniques to convince clients or even employees of the firm to part with sensitive information or money. It is therefore an additional barrier of protection that could prevent supply chain attacks as fraudsters would have to use an email address with a slight variation from the original domain which could help those in the supply chain spot a red flag.
The National Cyber Security Council (NCSC) issued clear recommendations to UK businesses in 2017 through their guidance document’ Email Security and Anti-Spoofing.’ This guidance was updated in October 2018, stating that all domains should use DMARC.
The advice states that DMARC should be implemented incrementally, starting with a DMARC policy of ‘none’ and gradually moving to ‘quarantine’ and eventually ‘reject’ when the domain user is confident the mails being received are genuine. Despite this advice, the legal sector has been slow to respond!
UK businesses have been warned to improve the way they scrutinise third party security policies following a damning report. The ‘Tech Vision Report’ found that just 29% of the 6,600 IT and business executives from 27 countries were aware of the cyber security being used by the suppliers and organisations they work with.
Overall, 56% felt comfortable in taking a business at their word that they had protected themselves from cyber criminality without making any formal checks. Worse still, the same number were content with trusting that their suppliers were cyber protected without even approaching or asking.
In the UK alone, only 29% of firms were vigilant enough to ensure that the people and organisations they work with were protecting their online presence.
When it is predicted that 25% of all global cyber attacks will be attributed to supply chain attacks within the next five years, it is becoming imperative that law firms scrutinise the security processes of the people, law firms, clients and suppliers they work with.
Email security company, Valimail, have claimed that 6.4 billion spoofed email messages are sent daily. Of this number, 960 million messages use the exact domain spoofing because the email address is not adequately protected.
According to a survey by Red Sift, in 2017, only one law firm had their DMARC settings at the top ‘reject’ policy. Whilst this has increased to 11 in 2019, there is a growing fear that firms are either placing their DMARC security at the top setting before it is ready or failing to achieve the top ‘reject’ policy setting that will properly protect the email domain.
In March, report by Egress has found that only 28% of all gov.uk domains are using DMARC to prevent impersonation and phishing attack, despite a blanket policy on the Governmental domains already having integrated DMARC.
53% of the domains that had integrated DMARC also had their policy set to ‘do nothing’ which places each email domain in immediate threat of spoofing.
Experts have warned that many firms are yet to embrace DMARC. Although a number of prominent firms including DLA Piper, Hogan Lovells, Linklaters, Norton Rose, CMS, Herbert Smith Freehills and Eversheds Sutherland, have achieved a full ‘reject’ standard, the uptake needs to be more consistent.
Joseph Hedegaard-Ganly, Information Security Adviser at Saepio, commented:
“Since DMARC’s inclusion in the British Minimum Cyber Security Standard, the frequency that we’re seeing clients include DMARC compliancy as part of their information security auditing is astounding.
“With the FTSE 100 stepping up their supply chain security, law firms are increasingly the first to be asked to reach policy level reject, the highest level of DMARC.
“Reputation is not a new concept to law firms, but the reputation of one’s domain has previously not been seen as an area of consideration.
“The race to reach reject is not a box-ticking exercise, but rather the result of firms getting visibility into what use of their domain is taking place through reports. There’s little doubt that, by this time next year, the percentage of the top 100 in reject will be significantly higher.”
Dr Rois Ni Thuama, Head of Cyber Security governance at Red Sift, said:
“A number of top UK financial institutions have requested their legal partners implement DMARC in a bid to secure their supply chain.
“Organisations are waking up to the reality that while their own digital infrastructures are well defended, the threat is still lurking on the periphery due to a weakness in the cyber defences of third-party suppliers – in many cases, the law firm.
“If DMARC is one of the Minimum Cyber Security Standards required by the British Government of all departments and their contractors, surely all organisations operating in the UK should follow suit and not only implement these defences to protect their own clients, but also mandate that the organisations in their supply chain also adhere to this fundamental cyber security standard.
“Twenty months on, 10 additional firms have implemented DMARC at full protection – clearly in response to increasing pressure from clients, suppliers and Government.”
Has your law firm incorporated DMARC into their security policies in order to prevent spoofing attempts?