Leading UK firms are still failing to implement basic layers of email security to protect themselves from brand abuse and their customers from phishing attacks, email vendor Agari has reported in its latest Q3 ranking.
The firm has previously focussed on the state of email security among US firms finding a mixed picture with some sectors doing well and others lagging. It turns out that things are generally worse in the UK, with three quarters ranked as "easy targets" in terms of best practices.
Brands rated as easy included Barclays, Deutsche Bank, Royal Bank of Scotland, Virgin Money, Tesco, Ladbrokes, William Hill, Sky/Sky Bet, Shop Direct, Schroders, and, unexpectedly, department store-cum-middle class religion, John Lewis.
Middle rankers - described as 'under construction' - included Sainsburys, KBC Bank, Wonga, and Rental Cars. No firm made the top rung, 'rock stars'.
The two obvious questions are how Agari comes up with these ratings and what motivates some firms to be so much better at securing themselves and their customers from email and phishing abuse than others.
The ratings are based on a mixture of how often domains are targeted by phishing and other spoofed attacks and the extent to which the brands implement email security on key domains to fight back against this abuse.
On this assessment, the use of the technical standards matter. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) have been around for years and are a bare minimum these days, while the more recent DMARC (Domain-based Message Authetication, Reporting and Conformance) is now considered advisable.
Staggering to report but some of the brands assessed didn't implement any of these - stand up Deutsche Bank while several others did but forgot about DKIM and DMARC.
According to Agari's founder and CEO, Patrick Peterson, younger firms specialising in online sales and social media tended to be better, most likely because email issues were front of mind. Older firms and the banking sector in particular seemed less likely to bother.
"The findings of this Email TrustIndex indicate that many UK businesses are still not taking the necessary steps to protect their customers from email-borne phishing attacks," said Peterson.
"Indeed, it's concerning to see that so many well-established organisations, including leading banks and retailers, are easy targets."
Email's gaping hole was its lack of authentication. A given email could come from anyone and there is no way of telling whom. SPF, DKIM and DMARC was attempts to retrofit some of this security on to email.
"While there are a select few organisations that are starting to adopt all three standards, a number of them are only implementing one or two, with SKY, Ladbrokes and Deutsche Bank not progressing with any of the three. This isn't good enough. Only by providing comprehensive email authentication that includes SPF, DKIM and DMARC, will organisations be defending their reputation and fulfilling their responsibility to their customers."