The New Year will see a transformation in email security
Email is suffering an identity crisis. Email’s core protocols make no provisions for authenticating the identities of senders, which has resulted in a worldwide spearphishing and impersonation epidemic, leading to billions of dollars in monetary losses, security mitigation costs, and brand damage. As a result, email security will be a central theme in the new year, both as a source of threats as well as an increasingly urgent issue for cybersecurity professionals to address.
In 2020, we will see email security prove itself to be a weak link in election security as well as corporate security. At the same time, Domain-based Message Authentication, Reporting and Conformance (DMARC) will gain popularity across several industries, driven both by the need to eliminate domain spoofing, and by the desire for brands to take advantage of Brand Indicators for Message Identification (BIMI), a new standard that requires DMARC. Email authentication works -- but it’s up to domain owners to take advantage of it. Increasingly they will do so, as they realize that a failure to proactively defend their domains can leave them vulnerable to convincing exploits from cybercriminals.
Email security will prove to be the weakest link in election security
Email is implicated in more than 90 percent of all cybersecurity attacks, and election infrastructure is also vulnerable to email-based attacks. This means email security must be a priority for thwarting interference with the 2020 presidential election. But research shows the majority of U.S. states are overlooking this vulnerability. Only 5 percent of email domains associated with local election officials across the U.S. have implemented and enforced DMARC.
DMARC is a widely accepted open standard that ensures only authorized senders can send emails from a particular domain -- it’s one of the most basic and highly effective means of stopping phishing attacks, which is why the Department of Homeland Security mandated its use for federal agencies in 2017. Yet below the federal level, governments remain vulnerable. In May 2019 we learned Russian hackers breached two county election systems in Florida via a spear-phishing campaign, and in November we learned of a phishing-based ransomware attack on Louisiana during an election cycle.
Because only a tiny percentage of counties and states have DMARC configured at enforcement, email is an easy way in for malicious actors looking to disrupt our elections.
DMARC adoption will grow across industries
We’ll see a continued increase in DMARC adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using DMARC has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020 -- especially healthcare and government. Following the lead of the federal government’s civilian branches, the Department of Defense will soon be requiring all of its domains to enforce DMARC, resulting in an increase in the number of military domains protected. H-ISAC, global nonprofit organization serving the health care sector, has urged health care companies to adopt DMARC as part of best practices for securing email, and as a result we’ve already seen a rise in adoption rates in this vertical. This growth will continue throughout 2020.
Major brands will lead the way with BIMI
Brand Indicators for Message Identification (BIMI) is a standard that will change the way people interact with their favorite brands via email. BIMI provides a framework through which an organization can provide an authorized logo for display in the recipients’ inboxes alongside authenticated email from that organization. We predict BIMI will grow in popularity, especially among large enterprises and prominent brands that rely heavily on the trust and engagement of their customers. In fact, Google will be launching a BIMI pilot in 2020, which will help spur adoption. Research by Verizon Media has shown that BIMI can increase open rates and boost customer engagement, giving marketers a big incentive to support the email authentication that is a prerequisite for BIMI.
Peter Goldstein is CTO and co-founder, Valimail. He is an MIT and Stanford trained technologist who has worked in a variety of software verticals including security, enterprise, email, and video. He has built products and teams at a number of large technology companies such as RSA Security and Perot Systems, as well as at small startups like Tout, Securant, and Swapt.