Regulatory Support for Email Security

October 31, 2018
Trent Adams

Email continues to be the most common method used to gain unauthorized access to corporate systems and perpetrate cyber fraud.  More specifically, targeted business email compromise (BEC) attacks clearly stand out as a major problem.  With a recent survey indicating that 89% of organizations reported BEC attacks in the fourth quarter of 2017, it’s clearly not an isolated method for fraud. To put a dollar figure on it, the FBI estimates that BEC attacks account for over $12 billion in losses since 2013. That makes BEC attacks the highest out-of-pocket losses from any class of cyber-facilitated crime.

In clear recognition of this alarming trend, the US Securities and Exchange Commission (SEC) recently put all companies under its jurisdiction on notice that they must employ effective email security or potentially face fines.  The SEC report was the result of an investigation into nine public companies that fell victim to communications fraud.  In these cases, the victims were fooled by criminals posing as company executives or their vendors.  The SEC estimated that the companies they investigated lost approximately $100 million to the BEC fraud.

Taken in context, the latest SEC report contributes to an emerging pattern.  Over the past few years, government agencies around the world have started directly tackling email security.  Regulatory agencies start by recommending security controls, then begin to require them, and that leads to enforcement.  They often focus on technologies that defend against email spoofing and impersonation, common tactics employed in BEC attacks.

When updating their Guidelines on Electronic Mail Security, the US National Institute of Standards and Technology (NIST) published “Trustworthy Email” in 2016. In it, NIST states that all US Federal systems should fully authenticate and verify email they send and receive.  By employing technologies such as SPF, DKIM, and DMARC, government agencies can ensure that email has not been spoofed.

Then in 2017, the US Federal Trade Commission (FTC) published similar guidance.  Their report concluded that “businesses can help reduce the number of phishing email messages and protect their reputations by fully implementing the low cost, readily available email authentication solutions.”  This closed the loop between government and commercial entities, with both agreeing that email authentication is a key defense against impersonation that can lead to fraud.

In the first requirement of its type in the US, the Department of Homeland Security (DHS) published Binding Operational Directive (BOD) 18-01, mandating many of NIST’s email security guidelines.  BOD 18-01 set an aggressively ambitious goal for all Federal agencies to be fully compliant with a DMARC “reject” policy within one year.  Even though only about 75% of agencies were compliant by the deadline, their herculean effort will likely spur similar mandates.

The US was not, however, the first government to mandate comprehensive email authentication.  Even though the UK’s “National Cyber Security Strategy 2016-2021” only presents high-level guidance, in 2016 the HM Revenue and Customs (HMRC) department leaped ahead and began to require all of its email be fully authenticated.  The directive made it clear that email sent from their domains must pass DMARC verification, essentially closing the door on spoofing.  Similar to the IRS, the HMRC is constantly impersonated in phishing attacks targeting UK citizens.  As a measure of their success, the HMRC reported 300 million fewer attacks than the year before the requirement went into effect.

The Dutch Standardisation Forum also moved DMARC to their “comply or explain” list in 2017.  This designation requires all governmental agencies in the Netherlands to either fully authenticate the email they send and receive, or explain the reasons why they cannot. This shift from their “recommended” to “mandatory” list indicates that effective defenses are mature enough to be required.

While not a regulatory requirement yet, the German BSI (a rough equivalent to NIST) published “E-Mail Security: Recommended Actions for Internet Service Providers” back in 2014. In it, the BSI enumerated the technologies necessary to prevent spoofed email attacks.  Similar guidance was published by the Australian Cyber Security Centre (ACSC) in their “Malicious Email Mitigation Strategies.”

With the foundation laid, it won’t be long before we see more guidelines becoming requirements. And with the HMRC, DHS, and SEC having made the leap, who will be next to mandate enhanced email security?

More information on related Proofpoint products: