FTSE 250 Companies’ Cyber Security Considered Weak

88% of the 250 top Financial Times Stock Exchange (FTSE 250+) companies have weak or non-existent anti-phishing defences in the public email configuration of their primary email domains.

The UK’s failure to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) services on a whole scale level has led Rapid7, in their ‘Cyber Exposure’ report, to conclude that the UK has the weakest layer of email defence when compared with top companies in both the USA and Australia.

DMARC prevents the original domain email from being spoofed and copied, making it more difficult for a cyber criminal to convince the customer of their authenticity. This is something that the legal sector has also been slow to embrace in recent years.

Currently, only around 10% of the top 100 law firms use DMARC at its top protective ‘reject’ setting. Cyber security experts are warning that law firms will need to fully embrace DMARC as more people using legal services and working with law firms are increasingly demanding that these technologies are used appropriately and consistently.

In 2017, only one of the top 100 law firms had embraced DMARC. Although this figure is increasing, so is the persistent and sophisticated level of cyber attacks targeted at law firms.

In the past week, the Solicitors Regulation Authority (SRA) issued five scam warnings regarding attempted phishing emails related to the conveyancing and inheritance sector. These warnings are only the scams reported to the SRA, suggesting that there may be more operating and succeeding.

Furthermore, SSL/TLS security was not enforced in 19% of FTSE 250+ organisations, creating an increased level of threat for potential malware attacks.

SSL and TLS security offer point-to-point protection to help ensure the data is secure between sender and recipient. Failing to embrace these security methods leave a firm vulnerable to malicious ‘man in the middle’ attacks where cyber criminals could alter and modify the web content a customer may receive, increasing the chances of malware and ransomware links being applied.

A spokesperson for Rapid7 and the ‘Industry Cyber-Exposure Report: FTSE 250+’ report commented:

“The report reveals that even among very large, mature, and well-resourced organisations, we see evidence of cybersecurity basics being missed or deployed insufficiently. This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organisation.

“If this challenge cannot be comprehensively met by these very large, high-revenue organisations, just imagine how much worse it is for smaller organisations with far fewer resources to apply to security.

“Many small- to medium-size businesses represent a very tasty target for attackers due to their intellectual property. For example, those with involvement in processing sensitive or financial data (the many law firms that handle complex mergers and acquisitions between much larger companies).”

Is your law firm embracing DMARC services and other robust cyber defences?