Universities in the US, UK, and Australia risk their students, faculty, and staff email privacy by failing to block online viruses sneaking into the schools’ email domains.
The enterprise security company, Proofpoint, announced a report this Tuesday saying that universities in the United States, United Kingdom, and Australia have the worst internet protection levels, with the US at the highest risk level. Almost all the top 10 universities of the above three continents risk their students, staff, and faculty’s email protection. It’s because they cannot block virus attackers from peaking into the schools’ email domains.
The report was generated by analyzing the Domain-based Message Authentication, Reporting and Conformance (DMARC) school records. DMARC is a decade-old email verification system that offers three levels of email protection, quarantine, monitor, and reject. The system validates a sender’s domain while delivering its email to its destination. However, per the report, top universities have not enabled reject levels.
The Executive Vice President for Cybersecurity Strategy of Proofpoint, Ryan Kalember, stated, “Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare. This, unfortunately, makes these institutions a highly attractive target for cybercriminals.”
Further, he said, “The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.” And this case is not just with universities alone. RedSift’s recent analysis of 64 million global domains showed that universities applied DMARC only in 2.1% of the domains. The London-based creator of a combined email and brand security platform reported that only 28% of public trading companies worldwide had applied the system, and 41% enabled the protocol at the initial level.
Proofpoint Industries Solutions and Strategy Leader Ryan Witt explains the reason by saying, “There can be a lack of awareness around the importance of implementing DMARC policies, as well as companies not being fully aware of how to get started on implementing the protocol. Additionally, a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”
He said, “Further, with the pandemic and current economy, organizations may be struggling to transform their business model, so competing priorities and lack of resources are also likely factors.”
The CTO and co-founder of Keeper Security, a zero-trust and zero-knowledge cybersecurity software provider in Chicago, Craig Lurey, said about the challenges faced while setting up the technology, saying, “It requires the ability to publish DNS records, which requires systems and network administration experience.” He further said, “There are several layers of setup required for DMARC to be implemented correctly. It needs to be closely monitored during policy implementation and rollout to ensure that valid email is not being blocked.”
Digital Shadows, a digital risk protection solutions provider from San Francisco, A senior cyber threat intelligence analyst with the provider, Nicole Hoffman, warned that DMARC wouldn’t protect against all email domain sneaking methods.
She said, “If you receive an email that appears to be from Bob at Google, but the email actually originated from Yahoo mail, DMARC would detect this. However, if a threat actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect that.” Lurey said, “Domains that are registered, but unused, are also at risk of email domain spoofing. Even when organizations have DMARC implemented on their primary domain, failing to enable DMARC on unused domains makes them potential targets for spoofing.”
Red Sift Senior Director of Global Channels, Brian Westnedge, told TechNewsWorld. “A lot of times, universities don’t have a centralized IT department. Each college has its own IT department operating in silos. That can make it a challenge to implement DMARC across the organization because everyone is doing something a little different with email.”