Three quarters of gov.uk websites ‘not secure’

Written by Peter Walker
18/03/19

Only a few weeks before the retirement of the Government Secure Intranet (GSI) platform, only 28 per cent of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC).

This means that nearly three-quarters are not following the minimum standard requirements suggested by the UK Government Digital Service (GDS) to authenticate email messages.

Data security company Egress analysed the websites, finding a lack of preparation from several government email administrators in readying themselves for the domain migration, which in effect leaves domain users open to phishing attacks.

Since 1996, the GSI framework has enabled connected organisations to communicate electronically and securely at low protective marking levels.

Once enabled, DMARC provides an email validation system designed to detect and prevent email spoofing, ensuring that email senders and recipients can better determine whether or not a given message is from a legitimate sender. If an email is from an untrusted source, and with DMARC fully enabled, administrators can decide whether the email should be placed in quarantine or rejected.

Egress looked at more than 2,000 email domains to check if public sector organisations have DMARC enabled, and whether they were implementing it in-line with the government’s guidance.

Neil Larkins, chief technology officer at Egress, said it was startling to see that so many public sector organisations effectively cannot provide full assurance over their email network’s ability to withstand phishing attacks.

Of the 28 per cent that have set up DMARC themselves, 53 per cent have the policy set to ‘do nothing’, meaning that email buffering and Business Email Compromise (BEC) can’t be prevented for these domains, and spam messages go straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not.

Any organisations defaulting to a gov.uk DMARC setting will also not be taking advantage of the ‘reject email’ policy, so this means that fewer than 14 per cent of organisations are using DMARC effectively if they want to stop phishing attacks.

GDS recently announced that it has stopped issuing any new .gsi-family domains and updated its email security guidance for government email administrators to follow. This guidance aims at helping to make sure an organisations’ email service is configured and runs in a secure way. As a minimum, GDS recommends using Transport Layer Security (TLS) encryption protocol and DMARC to encrypt and authenticate email in transit.