Cyber security centre tells government domain owners to up email security settings

Written by Rebecca Hill on 5 December 2016 in News

Fewer than 5% of public sector domains have adopted more secure standards for emails to reduce phishing, according to the National Cyber Security Centre.

National Cyber Security Centre wants Whitehall to boost email security - Photo credit: Flickr, elhombredenegro, CC BY 2.0

The centre has established a policy of “active cyber security”, with technical director Ian Levy saying that part of this will be to “make email mean something again” by improving confidence in the authenticity of emails.

Part of this relies on cracking down on phishing emails, which spoof a domain name with the aim of stealing a person’s personal and financial details.

“There are simple mitigations that public sector domain owners can put in place to make spoofing much harder,” the chief architect at the cyber security centre said in a blogpost.

Related content

HMRC slashes phishing emails by 300 million this year
Are we entering a 'cognitive era'?
National Cyber Security Centre to publish rankings for departmental email security

This includes adopting a new protocol – Domain-based Message Authentication, Reporting and Conformance, or DMARC – that alerts the domain owners to the malicious emails and allows them to take back control of their domains.

However, the NCSC said that fewer than 5% of public sector domains used the protocol, and it outlined work being done by the centre and the Government Digital Service to encourage organisations to implement the protocols.

This includes updating guidance for digital service managers and updating guidance to ensure that all emails are set to the highest DMARC level, known as p=reject. This means that the email service provider is asked not to deliver the email at all.

Among those organisations using this DMARC setting is HMRC, which last week announced that it had reduced phishing emails by 300 million this year, and expected to be able to block half a million phishing emails each year from now on.

“If an organisation with the scale, complexity and delivery requirements of HMRC can get to p=reject, then we believe that any other public sector organisation should be able to,” the NCSC said. “We look forward to many more organisations following their lead.”

The email security guidance asks public sector organisations to send copies of their reports to the centre, which it will use to track how effective the public sector has been at stopping phishing.

This service is receiving DMARC reports for more than 100 domains, the centre said, adding that it had helped alert many departments of phishing campaigns and misconfigurations on their domains.

The centre has previously said it will set up a dashboard of red, amber and green indicators based on the level of email security and that it will publish this so departments can pit themselves against each other.

“In six months the dashboard goes public as an incentive for government departments to take action or face being named and shamed,” Levy told an event in London in October.

The centre has urged anyone managing a public sector domain – those ending in, or – to verify their compliance with the standard using a tool developed by the NCSC and GDS called 

Share this page



Please login to post a comment or register for a free account.

Related Articles

Cisco backs government’s Industrial Strategy with $100m investment pledge
20 July 2018

Network manufacturer to fund a number of initiatives, including the establishment of a 250-person AI research facility at University College London

Overambitious transformation plans to cause ‘ugly scrambling for resources’, predicts NAO chief
18 July 2018

Auditor general Amyas Morse flags up three key issues that government must focus on to improve its work with private-sector suppliers

Data-sharing initiative and Digital Platform work canned during HMRC transformation project cull
17 July 2018

Annual accounts reveal that last year the department stopped, paused, or consolidated more than 100 transformation projects, while reducing the ambition of others 

DWP to create departmental content standard
16 July 2018

Department works with GDS to create and implement a consistent style for all content

Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security

Intelligent Connectivity: The Future of Networking - Delivering efficiency
16 July 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity.

Intelligent Connectivity: The Future of Networking - Delivering innovation
9 July 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity. With our network and know-how you can plan a smarter, more...