The UK government is mandating the use of the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol as well as HSTS and HTTPS as of Saturday in a major boost to its cybersecurity credentials.
The Cabinet Office’s Government Digital Service (GDS) will require that the strongest DMARC policy (“p=reject”) be the default for email services from 1 October.
It is hoped that this will fortify systems against phishing and similar spoofing scams. The HMRC, one of the most ‘phished’ government departments, has apparently been using DMARCand other technologies including SPF and DKIM for a number of years.
The use of HSTS and HTTPS, meanwhile, will encrypt information to and from government websites to help protect against Man in the Middle and other attacks.
“Email is the number one entry point for data breaches, and the use of DMARC email authentication protocol for all .gov email domains will greatly reduce the risk of breaches and cyber-attacks,” he argued.
“This includes targeted email attacks such as Business Email Compromise (BEC) and spear phishing, which target governmental staff by impersonating senior officials, and phishing attacks that target members of the public by spoofing the .gov brand.”
The move will certainly go some way to improving the government’s cybersecurity posture, but it will have to do more about accidental data loss if it wants to really prevent breaches.
The NHS topped the list of security incidents reported to the Information Commissioner’s Office (ICO) in the period 1 January – 31 March 2016 alone, according to an FoI request by Egress revealed in June.
In total, human error (62%) accounted for the vast majority of incidents, far more than insecure webpages and hacking (9%).