126 business emails (per person) go out daily or 124.5 billion work emails get sent and received every day. The Email Statistics Report of Radicati Group claims that customers are most likely interested in interacting with a brand from the email notifications they receive from brands instead of using email as an interpersonal communication tool, showing value in emails outside of the usual open and reply rates.
At 62.86%, email remains the preferred communication channel among businesses. According to Statista, people check their work emails 172 minutes a day while Harvard Business Review claims professionals check their emails an average of 15 times a day.
With so much information, undoubtedly, many business-critical and with the proliferation of tools to illegally tap or hack those messages, how are companies such critical assets?
Using the travel industry as an example, Robert Holmes, group VP of sender security and authentication at Proofpoint, comments that the return of pre-COVID passenger levels in Singapore has prompted tighter border control, placing high importance on passport verification and security screening for entry.
Extending the analogy to email security. SMTP (Simple Mail Transfer Protocol), a classic email protocol, lacks inherent security, allowing easier impersonation. Holmes says DMARC (Domain-Based Message Authentication Reporting Conformance) remedies this vulnerability like passport control, by authenticating senders.
He argues that without DMARC, email security remains compromised, enabling threat actors to exploit identities for malicious purposes. Just as passport control bolsters border security, DMARC enhances email integrity, safeguarding against phishing and ransomware attacks. “Implementing DMARC and email safety protocols then becomes imperative to ensure digital trust and security,” Holmes adds.
That said, Holmes points to DMARC as an additive to email security – it does not replace current solutions organisations may have in place.
“So long as you publish the right policies, and enforce those policies, we can operate on an interoperable basis,” he continues. And for Holmes, this is the ‘beauty’ of the (DMARC) standard. You can opt into the standard.
The DMARC carrot and stick
He contends that by publishing a DMARC policy and adjusting it based on feedback, organisations can enhance security.
Holmes argues that deploying DMARC will protect employees, customers, and partners from abuse of the company’s domain. “However, failure to adopt DMARC could lead to external emails being blocked or relegated to junk folders by major providers like Google, Yahoo, and Apple. And these big email providers are saying if I can't prove who you are, you're more likely to get blocked, even if it's legitimate,” he cautions.
According to Holmes, while companies can manage DMARC deployment themselves, it demands continuous monitoring and adjustment. But, despite the challenges, the benefits of these authentication protocols still outweigh the complexities.
As for the bad news, Holmes laments that not many companies know about Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM), DMARC, or SMTP. “The challenge is that there's a specialist knowledge, and if you get it wrong, then legitimate email does not get delivered,” he cautions.
How much and where does the budget for email security come from
Holmes says that even if it is deployed in the messaging teams, it is often paid for in the Information Security budgets. “So, while marketing teams are an interested stakeholder, this falls onto information security and messaging to deploy,” he adds.
The more complex an organisation, the more domains and cloud service providers they use to send emails on their behalf, and the more mail flow owners you need to chase down. “It becomes a little bit like herding cats,” posits Holmes. “The expertise does exist, but candidly, that's why my product line exists to help simplify and outsource that.”
Holmes concedes that the cost of securing emails is not an easy pill for information security professionals to swallow. He contends that it's good value for money because it helps make you more secure and helps deliver more emails.
“The most recent research even suggests that the average cost of a ransomware attack is US$4.5 million. For business email compromise, the average loss is around US$100,000. It doesn't take many of those threats to be blocked for such a technology to pay for itself,” argues Holmes.
Click on the PodChat player and hear Holmes expand on the business value of DMARC.
- In the context of today’s business environment, what is a DMARC? What does it mean for the non-technical expert? Why should they care?
- In your view, what is the percentage of emails currently using this DMARC protocol? Does the non-use of DMARC weaken those who do use it?
- Why do we need a DMARC policy (standard)?
- How do we prepare for this evolving digital landscape?
- When it comes to emails, who are in charge of border controls?
- Is incorporating DMARC going to be an expansive initiative?
- With AI a force for good and bad, can we rely on DMARC alone to protect email?
- What is your message to technology, security and business leaders in 2024?