Healthcare and banks fall short on spam and phishing protection

Agari's TrustIndex 2014 names the leaders - and laggards

Despite being relentlessly targeted by phishing and spam, the banking and healthcare sectors are still the least likely to use email security technologies to protect their customers, according to Agari's Email TrustIndex for 2014.

As reported in the past, Agari's TrustIndex is an attempt to calculate an overall security score for individual firms in 11 sectors by looking at a combination how often each is targeted against the adoption of email anti-spoofing technologies that protect against exploitation.

In principle, firms that are targeted relatively infrequently and adopt the all three of main email protection technologies - SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authetication Reporting and Conformance - will achieve the highest final score.

In practice, however, firms in all sectors are targeted by criminals for periods in any year and so adopting a high level of email security is the most important way of getting a better rating.

For 2014, the US healthcare sector scored rock bottom, with an extraordinary 93 percent given an overall 'TrustScore' below 50, meaning they were considered to be vulnerable. None were rated as merely 'at risk' (i.e average) with a mystery 7 percent achieving excellence in the top 'safe' category.

In other words, healthcare is a sector marked by a mass of firms with low adoption rates and a tiny number with extremely high adoption rates. Given the number of breaches in the healthcare, it's a curious contrast between what Agari would characterise as good and bad practice.

Banking wasn't much better with 75 percent of European banks and 62 percent of large global brand banks rated as 'vulnerable' with scores below 50. In both sectors, all of the rest were merely 'at risk'. In contrast, mega banks achieved the top rating which suggests a surprisingly wide variation in performance for this sector too.

Just above this abysmal performance were traditional retail (i.e. not exclusively online), airlines, and travel, with the best performers in addition to mega-banks being social media and logistics.

Agari names firms within sectors it thinks have done a good job, with Facebook, Apple, Netflix, American Express, Amazon, Visa, UPS and Google all in the top category.

In the second tier were DHL, Gap, Flickr, US Postal, William Hill and UK retailers John Lewis and Tesco, leaving the Royal Bank of Scotland, Sears, US Airways, Walmart,, and Dell among others to languish in the lowest TrustIndex category.

"We saw a record number of US data breaches in 2014 and cyber-attacks are a steady drumbeat of increasing breadth and severity, with the FBI now ranking cybercrime as one of its top law enforcement activities," said Agari's founder and CEO, Patrick Peterson.

"For all its ubiquity and convenience, email remains the single most effective and widely used vector of attack. Our State of Email Trust report shows that companies are starting to take email security more seriously, but there's still a long, long way to go."

He praised President Obama's recent executive order that firms share threat data with one another as a "step in the right direction."

In December, Agari looked at email security adoption rates among the UK's best-known firms - none achieved the top 'rock star' rating.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityAgari

More about American ExpressAppleDellFacebookFBIGoogleNetflixRoyal Bank of ScotlandTescoUS AirwaysVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts