New Zealand government agencies are lagging both large corporates and Australian government in implementing a key email security protocol that helps to fight ransomware and other threats.
Just under 20 per cent of 372 government agencies scanned by Auckland-based email security company SMX had implemented "domain-based message authentication, reporting and conformance", or DMARC in some form compared with 34 per cent of the top 100 companies and 57.9 per cent of Australian federal government agencies.
However, only 1.6 per cent of NZ government agencies could be described as having solid implementations - ones that instructed that non compliant emails be rejected or quarantined.
Seven per cent of NZ's top 100 companies were found to have solid implementations while 17 per cent of Australian federal government agencies did.
DMARC is an email authentication protocol released in 2015 and designed to fight against email spoofing that can lead to the compromise corporate systems, phishing attacks and scams.
While many more companies and agencies had some form of DMARC record many were either still at the experimental phase or, worse, had misconfigured records, SMX said.
DMARC records were found in 57.9 per cent of Australian federal government agencies, 34 per cent of the top 100 NZ companies and 19.9 per cent of NZ government agencies.
According to CERT NZ, financial losses due to scam and fraud totaled $14.5 million in 2019, with 87 per cent of that being due to email fraud.
There was a 25 per cent increase in phishing and credential harvesting incidents compared to 2018.
Ransomware attacks, which are typically launched via email, are particularly threatening, with CERT NZ reporting last year that 70 per cent of the ransomware attacks reported to the agency since it was set up led to some form of loss for the victim.
SMX co-founder and email evangelist, Thom Hooker, said that despite the security advantage DMARC offers, uptake of it remains low across both business and government in New Zealand.
Hooker said this poor uptake continued to put businesses and individuals at risk of financial or data loss while government agencies ran the risk of exposing personal data due to a privacy breach originating from an email scam.
“Given how much personal data is stored digitally with government agencies, each agency has a duty to take all appropriate measures to protect that data," he said.
"Our research shows that while a small number of government agencies clearly understand the risks and have implemented DMARC, many either do not or have been slow in adopting DMARC.”
Many of those who have gone down the DMARC path, however, had either failed to implement it fully or have made mistakes in doing so, both of which can lead them to underestimate the value it provides.
"There clearly is a need for more education in the market," Hooker said.
DMARC should be a de facto part of any organisation’s security approach and its global uptake is vital to helping fight email-based cyber threats.
DMARC, he said, was one of the most significant evolutions in the history of email and it was time more organisations made use of it to protect themselves and their customers.
That 66 per cent of top 100 companies and 80 per cent of government agencies in New Zealand have no DMARC at all was "shameful", Hooker said.
The NZ government chief information security officer, Andrew Hampton, has been asked for comment.