Fortune 500 companies are the laggards when it comes to employing proper security mechanisms, according to Global DMARC Adoption 2019, a study by 250ok.
Only 23% of the big 500 have some form of DMARC (Domain-based Message Authentication, Reporting, and Conformance) in place. And those that do are way behind in protecting their data, the study notes.
For instance, 15% have a none policy, 3% have quarantine and only 5% observe reject, the strictest and most recommended protection level, the report continues.
In contrast, only 54% of SaaS providers have no policy in place. And they have shown an 11% improvement from 2017 to 2018.
Of all the 27,000+ sites studied worldwide, only 23.5% have DMARC. In addition, 12% have a policy of none, 2% quarantine and 9% reject.
Among the worst sectors studied is travel. It has a staggering 86% non-adoption rate — only 1% have a reject policy, while 2% had a quarantine and 11% a none. It’s no surprise, given the major breaches at Marriott, British Airways and Orbitz.
Meanwhile, 91% of nonprofits have no DMARC policy in place — a condition that can be attributed to their limited budgets. But they do hold a large amount of personal data about donors and sponsors.
Chinese companies are the most exposed — 93% have no DMARC. Of 307 sites studied, none have a reject policy.
The Chinese market’s adoption rate rose by 1.2% in 2018, but is still a poor performer.
The winner among the verticals is the executive branch of the United States government — 81.5% of all its domains have a reject policy. But the other branches of government lag—87% of our legislators’ sites run without DMARC, as do 83% of the juridical sites.
“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” states Matthew Vernhout, director of privacy at 250ok.
Vernhout adds: “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”