In a statistic that might interest ministers in Brussels, Valimail reports that over half of all large tech companies lack basic protection from spoofing. And even more are at risk.
Valimail examined the primary domains of 525 global technology companies with revenues topping $500 million per annum.
Of those, slightly less than half — numbering 257 — have domains with Domain-based Message Authentication, Reporting, and Conformance (DMARC) records, but only 55 maintain DMARC at the enforcement level, for an effectiveness rate of 21%. That means 268 — or 51% — have no DMARC records. And those that do have them are far from safe.
DMARC is the accepted protection standard. The Department of Homeland Security had ordered all federal agencies to adopt DMARC by last October 16.
What’s the difference between keeping DMARC records and full enforcement?
“Without enforcement — or with errors — a DMARC record can provide some visibility into an organization’s mail now, but it does not stop spoofing,” the study states. “In other words, these domains can still be used in phishing attacks.”
Meanwhile, 19 domains — 3.6% of the total — have incorrectly configured DMAC domains, and 183 domains are correctly configured, but lack policies that will stop phishing from spoofed email addresses.
Valimail concludes that “90% of large tech companies remain unprotected from impersonation. They — and their customers and partners — are still at risk for phishing attacks.”
In one sense, it sounds like the tech sector is in dire peril. But it still leads other verticals.
Only 44% of U.S. banks have deployed DMARC, as have 37% of health concerns, and 18% of global media companies — statistics that might interest ministers in Brussels.
Revenue and protection levels seem to coincide.
Tech firms with no DMARC records average $4.97 billion. But companies with DMARC generate $7.15 billion.
However, firms with DMARC at the enforcement level enjoy an average of $10.18 billion in revenue.
At the same time, 57% of publicly traded tech firms have DMARC, versus 40% of privately held outfits. And 55% of B2C firms have DMARC, compared with 49% of B2B.
Overall, 23% of all publicly traded companies across sectors have DMARC.
In a slightly more positive finding, 78.1% of tech companies have valid Sender Policy Framework (SPF) protection, but 16.2% have invalid SPF and 5.7% have none at all.
Valimail estimates that “75 percent of the world’s email inboxes are now covered by DMARC, including those at 100% of the major U.S. email providers such as Google, Microsoft, Oath,and others.”
Valimail has also signed numerous contracts with federal agencies over the past 12 months, and has helped many to comply with the DHS deadline.