The UK’s top 10 universities and most of the leading educational institutions in the US and Australia are failing to protect their staff and students from email-borne threats, according to Proofpoint.
The security vendor assessed each of the leading 10 universities in each country for their DMARC policy, and found 97% across all regions are failing to actively block fraudulent emails from reaching recipients. The figure rose to 100% in the UK.
Whilst not a panacea, the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol can help to prevent phishing and similar attacks, as it’s meant to ensure that only authorized senders can send messages from registered domains.
However, it must be set to “p=reject,” meaning spoofed emails never reach their intended destination.
The other levels are” p=none,” which means mail is treated the same as non-DMARC validated messages, and “p=quarantine,” where emails are delivered but into the recipient’s spam folder.
“Higher education institutions are highly attractive targets for cyber-criminals as they hold masses of sensitive personal and financial data. The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cybersecurity challenges for education institutions, opening them up to significant risks from malicious email-based cyber-attacks, such as phishing,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint.
“Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber-attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC compliant.”
Of those UK universities assessed, 20% did not even publish a DMARC record, meaning they have some way to go to enhance their anti-phishing and business email compromise (BEC) capabilities.
A 2018 study of thousands of the top education institutions in the EU and US found that just 11% had fully implemented DMARC.