Denmark Tops in Digital Quality of Life, US in Fifth Place
The report is based on an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) records at the schools. DMARC is a nearly decade-old email validation protocol used to authenticate a sender’s domain before delivering an email message to its destination.
The protocol offers three levels of protection — monitor, quarantine, and the strongest level, reject. None of the top universities in any of the countries had the reject level of protection enabled, the report found.
“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare,” Proofpoint Executive Vice President for Cybersecurity Strategy Ryan Kalember said in a statement.
“This, unfortunately, makes these institutions a highly attractive target for cybercriminals,” he continued. “The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”
Barriers to DMARC Adoption
Universities aren’t alone in poor DMARC implementation.
A recent analysis of 64 million domains globally by Red Sift, a London-based maker of an integrated email and brand protection platform, found that only 2.1 percent of the domains had implemented DMARC. Moreover, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% enabled only the basic level of it.
There can be a number of reasons for an organization not adopting DMARC. “There can be a lack of awareness around the importance of implementing DMARC policies, as well as companies not being fully aware of how to get started on implementing the protocol,” explained Proofpoint Industries Solutions and Strategy Leader Ryan Witt.
“Additionally,” he continued, “a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”
“Further,” he added, “with the pandemic and current economy, organizations may be struggling to transform their business model, so competing priorities and lack of resources are also likely factors.”A D V E R T I S E M E N T
The technology can be challenging to set up, too. “It requires the ability to publish DNS records, which requires systems and network administration experience,” explained Craig Lurey, CTO and co-founder of Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, in Chicago.
In addition, he told TechNewsWorld: “There are several layers of setup required for DMARC to be implemented correctly. It needs to be closely monitored during implementation of the policy and the rollout to ensure that valid email is not being blocked.”
No Bullet for Spoofing
Nicole Hoffman, a senior cyber threat intelligence analyst with Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, it can break things and interrupt business operations,” she told TechNewsWorld.
“Some organizations hire third parties to help with implementation, but this requires financial resources that need to be approved,” she added.
She cautioned that DMARC will not protect against all types of email domain spoofing.
“If you receive an email that appears to be from Bob at Google, but the email actually originated from Yahoo mail, DMARC would detect this,” she explained. “However, if a threat actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect that.”
Unused domains can also be a way to evade DMARC. “Domains that are registered, but unused, are also at risk of email domain spoofing,” Lurey explained. “Even when organizations have DMARC implemented on their primary domain, failing to enable DMARC on unused domains makes them potential targets for spoofing.”
Universities’ Unique Challenges
Universities can have their own set of difficulties when it comes to implementing DMARC.
“A lot of times universities don’t have a centralized IT department,” Red Sift Senior Director of Global Channels Brian Westnedge told TechNewsWorld. “Each college has its own IT department operating in silos. That can make it a challenge to implement DMARC across the organization because everyone is doing something a little different with email.”
Witt added that the constantly changing student population at universities, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack and compromise.A D V E R T I S E M E N T
Furthermore, he continued, many academic institutions have an associated health system, so they need to adhere to controls associated with a regulated industry.
Funding can also be an issue at universities, noted John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company. “The biggest challenges to universities is low funding of security teams — if they have one — and low funding of IT teams in general,” he told TechNewsWorld.
“Universities don’t pay particularly well, so part of it is a knowledge gap,” he said.
“There is also a culture in many universities against implementing any policies that could impede research,” he added. “When I worked at a university 15 years ago, there were knock-down drag-out fights against mandatory antivirus on workstations.”