Email security gaps leave Asia Pacific firms vulnerable

According to recent research by the cybersecurity firm Proofpoint, only 12% of top organisations in the Asia Pacific region have implemented the recommended levels of email authentication, leaving the majority exposed to potential cyber threats.

The findings show that phishing attacks, a common email fraud methodology, increased by nearly 60% in 2024 compared to the previous year. This rise highlights the importance of adopting protective measures like the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol, which helps prevent email spoofing.

DMARC is designed to verify the sender's identity, preventing suspicious emails from reaching their intended recipients. It operates on three levels: monitor, quarantine, and reject, with reject being the most secure option. Proofpoint's study assessed DMARC adoption among companies listed on the Forbes Global 2000 within the Asia Pacific region.

George Lee, Senior Vice President of Asia Pacific and Japan at Proofpoint, explained the significance of these findings: "Email remains the most common and critical threat vector across industries. It's encouraging that many leading companies in Asia Pacific have taken proactive steps to protect their customers from email fraud. However, the rising frequency, sophistication, and cost of cyberattacks make it especially concerning that many remain highly vulnerable, exposing them to significant risks from malicious email-based threats such as phishing. Prioritising robust cybersecurity measures is essential to safeguard against these threats and protect customers' valuable data."

While Australia's adoption of DMARC at the reject level stands at 71%, leading other nations in the region, South Korea and Japan exhibit significantly lower adoption rates. Proofpoint's data reveals that only 1.8% of South Korean companies have implemented DMARC at the quarantine level, with none at reject, and over half lacking any DMARC record. In Japan, a mere 7.4% of companies have opted for the reject level of protection.

The situation in Singapore and India shows a moderate level of implementation, with approximately half of companies using the most stringent level of DMARC. However, a large percentage of these businesses are still unprotected, lacking even a basic DMARC record.

More concerning figures emerge from China, where only 4.2% of companies have adopted DMARC at the recommended levels, and 71.8% are without any DMARC protection. In Thailand, 17.6% of companies have implemented a reject policy.

In response to these findings, major email providers such as Google, Yahoo, and Apple have announced impending requirements for mandatory email authentication for bulk emails sent to their services. This initiative aims to curb spam and reduce fraudulent emails reaching user inboxes.

Furthermore, organisations that handle sensitive payment information are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). The upcoming version 4.0.1 mandates DMARC implementation by March 2025 to enhance protection for cardholder data.

Proofpoint stresses the importance of companies implementing DMARC and doing so at the reject level to prevent domain impersonation. The company also advises organisations to educate employees on recognising fraudulent emails and reinforcing password management practices to mitigate further risks.