More than three quarters of ASX 200 companies are subjecting their customers, partners and employees to higher risks of email fraud, according to cybersecurity and compliance company Proofpoint.
The new research from the company found that 78% of ASX 200 listed companies have not implemented the recommended and strictest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which prevents cyber criminals from spoofing organisation's identities and reduces the risk of email fraud.
While 69% of ASX 200 companies have adopted a DMARC protocol, only 22% are properly implementing DMARC to the highest level by blocking suspicious emails.
Proofpoint senior director advanced technology group APJ Steve Moros says, “Email continues to be the number one threat vector for cyber criminals, and as some of the most recognisable brands in Australia, ASX 200 companies are and have been obvious targets for email-borne attacks.
“All organisations with or without a hybrid working model rely heavily on the email ecosystem to conduct business between suppliers and vendors, employees, customers, and partners, so the risk of compromise and brand damage is high.
"Yet Proofpoint research shows Australian organisations are underperforming when it comes to adopting people-centric cybersecurity solutions necessary to prevent adverse outcomes and reduce the risk of human (employee) activated attacks.
Email-based attacks dominated the threat landscape in 2021 as Australia becomes a key target Proofpoint's analysis shows Australia is lagging its global counterparts in DMARC adoption, against a backdrop of increased incidents of email-based cyber attacks.
The United States' Fortune 1,000 index shows an 82% DMARC adoption rate, the United Kingdom's FTSE 100, and FTSE 250 sit at 72% adoption, and France's CAC 40 at 75%.
At the same time, Proofpoint's recent State of the Phish Report found Australian organisations are experiencing greater adverse outcomes from successful email-based cyber attacks compared to other countries including the US, UK and Japan.
The report highlighted 90% of Australian survey respondents said their organisation faced spear phishing, business email compromise (BEC) and email-based ransomware attacks in 2021.
In addition, 92% of Australian organisations experienced a successful phishing attack, the highest of any country surveyed and a 53% increase from 2020.
According to Proofpoint's analysis of ASX 200 companies, the lack of protection against email fraud is commonplace across all sectors, exposing countless parties to imposter emails.
These BEC attacks are designed to trick victims into thinking they received an email from an organisation leader like the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials.
A 2021 report released by the Australian Cyber Security Centre (ACSC) identified BEC as an increasing threat to Australian businesses, with the average loss per successful BEC amounting to $50,600 – more than one and a half times higher than the previous financial year.
Moros concludes, “Business email compromise is one of the most common and disruptive types of attacks facing those organisations without proper protocols in place to secure their email communication channels. In fact, a 2021 Proofpoint survey of 100 Australian CISOs revealed BEC topped the list of attacks they felt most at risk from over the next 12 months.
“A major cyber breach on the ASX 200 would reverberate far and wide and have the potential to financially impact many stakeholders and organisations. This year marks ten years since the DMARC protocol was created however it is concerning to see that some of Australia's most prominent organisations are yet to leverage best-practice technology to protect themselves.
“As the number of successful email attacks continue to rise in Australia, equipping employees with the knowledge and tools necessary to protect themselves and critical organisational information remains paramount and must be a high priority.
"In addition to employee awareness training, cybersecurity standards create a definitive and clear baseline for security that organisations can rely on to protect themselves. The ACSC already mandates stringent email authentication standards including DMARC, for all public sector organisations. It's time all private companies also follow suit and reduce their attack surface area.
To clarify, DMARC is an open email authentication protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing the message to reach its intended recipient.
Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains: Monitor, allows unqualified emails to go to the recipient's inbox or other folders, quarantine, directs unqualified emails to go to the junk or spam folder, and reject, the highest level of protection that blocks unqualified emails from getting to the recipient.