Stephen Jordan explains DMARC and the shocking number of vulnerable businesses that do not implement it
Boosting email security for your small business is just smart
Cybersecurity expert Stephen Jordan joins us on the podcast today to discuss critical measures for boosting email security that small businesses need to implement. He explains the vital role of DMARC (Domain-based Message Authentication, Reporting & Conformance) in safeguarding a company’s email domain against spoofing, phishing, and business email compromise attacks.
Shockingly, Jordan reveals that 82% of businesses do not have DMARC protection enabled. Of those that do, only about 1.5% are using it properly with enforcement and monitoring. This leaves companies wide open to reputational damage, fraud, and disruption from email impersonation. Boosting email security with DMARC needs to become a priority.
Jordan outlines common challenges small businesses face in adopting DMARC and stresses the importance of combining it with related protocols like SPF and DKIM for layered email authentication and boosting security. He shares startling statistics of over 1,500 fake emails stopped in one month for a client after boosting email security.
Looking ahead, Jordan predicts DMARC and email security overall will continue advancing as threats evolve. He emphasizes the need for continual improvement in boosting email security, not assuming one solution is enough. Jordan advises asking questions of IT providers and getting third-party assessments on whether email security is adequately boosted. With employee vulnerabilities a top risk, ongoing security awareness training and testing is vital for boosting protection as well.
Watch Our Interview
What follows is a lightly edited transcript of our discussion.
Gary Stockton: About 46 percent of all cyber breaches impact businesses with fewer than 1, 000 employees. Small businesses receive the highest rate of targeted malicious emails, with one in every 323 businesses impacted. Business email takeover is the type of hack where a business is targeted, its email server hijacked, and the hackers perpetrate various frauds including fraudulent wire transfers.
Victims of these crimes face significant interruptions in business operations and reputational damage among their customers. Some even shut their doors as a result. It’s a terrible problem, but a problem you can prevent. Joining us today to do a deep dive on email security is Stephen Jordan, a cybersecurity expert and founder of Sound Cybersecurity. With over 32 years in IT and cybersecurity, Stephen brings a wealth of knowledge in email security, particularly DMARC. Today, he’ll share insights on safeguarding your small business against digital threats and navigating the complexities of cyber compliance. Stephen, welcome to the Small Business Matters podcast.
Stephen Jordan: Thank you very much. Glad to be here, Gary.
Can you explain it and why it’s essential for small businesses to implement in their email security strategy?
Stephen Jordan: Absolutely. DMARC is a wonderful tool that we have available to us as an email security tool.
Unfortunately, it’s just the way that email is designed. Anybody who has the technical ability to open and create an email server can immediately start using your email address or anybody’s email address for that matter. And in the process of doing that can, launch malicious attacks.
It’s, a shame that, they’re able to do that, but. They are, and DMARC is a way to put a stop to that, completely. it’s a, great tool, and there, the reasons and benefits, to it, are many, but of course, the, biggest one to me is the ability to stop cyber criminals from using our email addresses, it also improves the reputation of our legitimate email messages, so they’re more likely to land in an inbox instead of a junk folder.
It helps protect our business brand. It helps protect our business reputation. It’s also a great way to just be a good neighbor on the internet because when I enable DMARC for my domain name, not only does it protect me, but it also protects everybody that I interact with email.
What are some of the common challenges that a small business might face when setting up and maintaining DMARC, and how can they overcome these obstacles?
Stephen Jordan: Yes, the initial challenge is just like anything else is, learning something that can be complicated and, complex. And getting over misconceptions. When I say that it’s not just misconceptions for business owners or managers, even with our our I. T. industry, there are a lot of people that have, many misconceptions about DMARC and what it does and how it works. And some people just fob it off as being unimportant. But when you really stop and you take the time to learn it. You, you’ll find how important that it is.
And so, to overcome those obstacles I think there, there’s one of two ways: they either decide they’re going to dive in and do it themselves, or they’re going to contract that work out to somebody like me to take care of it for them. And once you decide which way you’re going to go there, of course, for me, I would prefer they use me to take care of it. I have already learned what I need to learn and can do all those things for them. But if they’re going to go the route of do it themselves, they really need to make sure that they invest in a good tool to help them because this isn’t something that you just do on your own and, can handle with your own inbox.
Gary Stockton: Yeah, I set it up once and, it was a little involved. I work with a consultant as well to help me through it. It didn’t take too long to get up and running, but I saw some immediate benefits. Now, there are other protocols out there like SPF and DKIM, but why is it important to use them together?
Stephen Jordan: DMARC would be nothing if it weren’t for SPF and DKIM. Those three things go hand in hand. Of course, DMARC we also know is email authentication, but SPF and DKIM and DMARC combined to make up this wonderful tool. And so, we, couldn’t survive without those other protocols. And SPF is the one that’s, initially checking to be sure that the email message is really coming from a legitimate source, someplace that you’ve published, you allow email to send from.
DKIM, of course, is stepping in and using private and public keys to encrypt portions of the message to make sure that information about where it came from and who it came from is intact and legitimate. And then DMARC takes the final step and, confirms all of that and makes sure that it all really aligns with the domain name you’re sending from. It’s a combination. And even though we say DMARC, or we say email authentication, it’s really a team effort from all three of those protocols.
Could you share some percentages of businesses that go that extra step? I don’t think it’s big.
Stephen Jordan: Yes. It’s, it’s funny because initially, you look at it in, and, and of course my statistics run really close with others that I see published, but I have checked the status of DMARC on thousands of domain names. And what I have found through all of that is that. Eighty-two percent of all domain names that exist do not have DMARC configured at all. So, when you look at that and you go, 82%, so that means 18% do, that’s, almost one in five. So statistically that, we’re off to and Okay, start, no, not really.
Because when you dig into that 18 percent – 10 percent of the total, they do have DMARC enabled, but their policy is set to none. Maybe I should say at this point that, there’s when you do set up DMARC, you must choose the three different settings and those settings are none, quarantine, and reject.
And when you say none, it’s a great starting point. We all need to start there because that’s what we use to start monitoring the reports and look at what’s going on so that we don’t create any problems or so that we know what problems there are. Once we get those things configured, we must, move up from there, but those statistics, show that 10 percent of the total is set to none. And I don’t see those changing a lot, I don’t go back and recheck them all, but there are very, few of those progress from none on up to the higher levels of reject and quarantine. Out of that, that leaves 8 percent of all domain names that are at least on quarantine or on reject.
The way that breaks down is about 5 percent of the total are on quarantine and 3 percent are on reject. Now, what’s not so great about that, even worse, is that when you start looking at those, what I find is that, so take that, 5 percent that is on quarantine, only half of those specify a source to send the daily aggregate reports to.
Same thing with the 3 percent that are on reject. Only half of those domain names are set to send the report somewhere. If you really want to get down to the final details of, how many people or what percentage out there are really using DMARC to its full capacity, it would be the people set on reject, and they are looking at the reports. That really means about one and a half percent of all domain names. So, if anything right now, we can say that there’s two out of a hundred businesses are fully implementing, DMARC. So, we have a long way to go to put this wonderful tool to use.
Gary Stockton: That’s a shocking statistic, really, when you think about the reputational damage it could do to a small business, podcast listeners, this is something you’re going to want to rewind and re-listen to here. And if you are not working with a professional in this and you need help, you got to call Stephen up and have him come and help you get it all of this set up.
Stephen Jordan: Definitely.
Talk about a few real-world examples or case studies where implementing DMARC significantly reduced email fraud or phishing attacks for a small business. Do any come to mind?
Stephen Jordan: Yes. I’ll give you a couple of my own, it’s, interesting because you can go on the internet and you can find tons of statistics about, pre-attack times or how many attacks, happen. But once people enable DMARC, you don’t really get too much in the way of statistics because at that point we’ve really, put a stop to it. I keep my dashboard open for my tool and I’ve got one client here in mind. Let me just pull them up quick.
So, over the last, 30 days, this is a client of mine that’s in the technology sector, and in the last 30 days, they have had 263 compliant messages. So those are messages that they have sent that are completely legitimate. But they’ve had 1, 549 illegitimate messages sent as if they’re from their domain that really, they are not.
Now, because we’ve set up DMARC, we’ve stopped those from reaching the inboxes that they would have reached. So, we really don’t know, what any one given message would have done or how much of a problem it would have caused. But that is a significant percentage of messages going to their clients, their vendors, and other people that they may interact with that we’ve put a stop to.
There are many other clients I have, some of them aren’t as large in those numbers. We’ve had some small, I’ve got one oil and gas client that, he, might have a volume. He’s a sole proprietor. He might have an email volume of fifty messages a month. But every now and then we’ll see one, two, or three, illegitimate messages sent from his domain name, and they got stopped.
So, we really don’t know, did we prevent a phishing attack in that message case? Somehow it would have been stopped by some other means, but DMARC put a stop to it ever even getting there in the first place.
How do you see the role of DMARC and email security evolving, especially with the rise of sophisticated cyber threats? And now we’ve got AI as a toolbox, right? Or a toolkit for a lot of these hackers. How do you see it shaking out in the future?
Stephen Jordan: You know, you think back to medieval times and the weapon got bigger and the armor got bigger, and we just kept going back and forth and I think we’ll, we have seen that, and history shows that. So, we will continue to see that going forward, with DMARC, specifically, right now, it is not a requirement; you do not have to have it to be able to send email. So, I think part of the evolution at some point will be that it, it will be a requirement and you, will have to have it. The way DMARC works right now, we talked about it working in conjunction with those other two protocols. Those two protocols do have to be functioning correctly for DMARC to approve a message. Only one of those other two must align with your domain name for a message to get through.
I could see as this continues to evolve that there will come a time when both of those will have to align. So, getting stricter with DMARC and, enforcing it, but Yahoo and Google in February coming up here soon, they are going to start enforcing it for anybody who’s got a large volume. If you’re a sender of 5,000 emails or, more, they are going to start enforcing, DMARC for those senders.
So, we’re starting to move in that direction, and that’ll be there. But as far as email goes, I wish I had a crystal ball to tell you exactly. I could see the day coming when, you know, we each end up having to have our own certificate, that, that represents us, that there is some connection between the email messages that we send and something physical that identifies that it was really us that sent the message. Not that’s going to kick SPF, DKIM and DMARC out of the picture. I think it’ll remain as a layer. I could see that.
I remember in the sixth grade, my teacher asked us to draw a picture of a football player and what we thought a football player would look like in the future. And, for most of us, the pads just got bigger and, and I can see that with email, those layers, and the security we put behind it will continue to evolve. I wrote a great blog on my website a while back titled “Email Security Is Not a One and Done Thing“, and there are just a lot of different things we need to do. DMARC is one of those great pieces to that puzzle.
Gary Stockton: I’ve heard and Experian has reported on one of the greatest cyber risks to a business is through their employees. How can businesses train their employees to recognize and respond to phishing attempts effectively?
Stephen Jordan: Yes, so you, must have security awareness training and testing in place to just keep people aware and give them the knowledge. There are a lot of people that just don’t understand and, doing something like that security awareness training and testing will start introducing them, it will test them so that if they are more prone to click on things that they shouldn’t, you can, the testing will draw that out and you can start bringing that to their attention, but that’s, I think is, definitely the beginning step for helping those employees improve, it, there are so many things we’ve seen so many statistics now that one out of five employees are actually would be willing to sell their password, to a cybercriminal. There are just so many things that are out there these days that make it tough on a business to not only just teach, but also to enforce and protect and you can implement wonderful policies, but just like traffic laws, which doesn’t mean everybody’s going to follow them.
Do you think sending, fake phishing emails to your employee base to see what cross-section of your employees could need retraining (is a good idea?)
Stephen Jordan: Yes. and that’s what the testing usually does is it, does send out those types of, just. UPS, package delivery, click here to check the status of your, your package, whatever it may be, they, those testing, email messages are sent, and then instead of, course, communicating with a known bad actor out there that just are collected in your company’s testing data. And you can see who, is clicking on those messages. and it’s a great tool to say, okay, employee, such, and such. Yes, you need to go back through and read, or rewatch this training.
Gary Stockton: There’s probably some very young businesses listening today. through the pandemic, we’ve seen a of new businesses, millions of new businesses being, and some of them are outsourcing email operations. Do you have any advice for businesses that are outsourcing their email infrastructure to another company? What should they be looking for?
Stephen Jordan: Yeah, and I bet most of us are doing that these days. And I think the best thing to do there is just remember, like I said earlier from that blog, that email security is not a one-and-done thing. You may be told by whomever you’re outsourcing your email to that they’ve implemented an email security solution for you. You may even see on your monthly invoice that you’re paying for a separate email security solution. But that doesn’t mean that you’re done that is just one of the pieces of everything that needs to be done with email security so if they’re outsourcing it, I think the biggest thing for business owners and managers is don’t assume that everything is done, definitely open the hood, take a peek, see what’s going on and, ask important questions and, use somebody like myself or get a third party opinion on how they’re doing with that security.
Gary Stockton: Yes, and discovering that the DMARC hasn’t been set, that’s going to be a revelation for, a great many, I would imagine.
Stephen Jordan: Yes.
How can small businesses develop and enforce effective email security policies and what compliance aspects should they consider?
Stephen Jordan: I would say that there are so many great security policies that every business needs to have in place. Password policies and acceptable use policies and all, there’s a long list of those. But as far as enforcement goes, you’ve really, any decent company that’s either providing or promoting those policies, one of the pages is getting the employee to sign off that they have read and received those policies.
That is a huge step in moving towards better, adoption and acceptance, and obedience to those policies. But you’re still going to get people that aren’t going to do them. And I can hear my HR professionals’ words ringing in my ears about stepped discipline and verbal warnings and written warnings and final warnings before you act.
But it’s hard. Do you fire your best salesperson because they’re not following all of your email habits? That is a tough decision to get down to. That guy may be making you tens of thousands of dollars per month if his bad email habits suddenly end up exposing the entire company to Ransomware. Where is that balance and benefit to having that employee? So, I think they want to develop those policies, get everybody to sign off on them and, follow up with real action.
The sad thing that I am seeing, occasionally, it’s, not in the news a lot, but we are seeing that employees are beginning to get named in some of these lawsuits that are occurring, That’s a huge wake-up call. Of course, it was a huge wake-up call for those of us in the I. T. and in the cyber security business. If you make a mistake, you can end up on the wrong side of the lawsuit. Everybody that’s involved needs to realize that they, are the last line of defense.
You don’t have to be in the IT department. You don’t have to be a CEO. Anybody and everybody, you’re the last line of defense. And it’s funny when I do occasionally send out some bulk emails promoting DMARC, I’ll get some people to respond back and they just go, “Oh, this doesn’t matter to me. I’m not in the IT.” Well, it really should matter. It doesn’t matter if, you’re the janitor and you’re checking your email on your cell phone, you’re still, part of all of this.
Gary Stockton: Yes. At Experian it’s job #1. It’s the first thing; the priority of the business is security. So, we take it tremendously seriously here.
This has been extremely illuminating and valuable. Do you have any closing thoughts about email security, Stephen?
Stephen Jordan: Just don’t, make assumptions, let somebody look for you if you don’t have that technical ability and, just, Rome wasn’t built in a day. Nobody’s expecting you to be perfect this afternoon. It’s, going to take time. Just start. Start looking into it and start implementing one thing at a time until you get to a point where you can say you’re comfortable and know full well something new is going to come along that we’re all going to have to adopt at some future point. And it’s, just inevitable and, it’ll keep evolving and changing and we’ll keep evolving and changing with it.
Gary Stockton: Excellent stuff. Where can our listeners find out more about you and the services you provide?
Stephen Jordan: Absolutely. They can always go to my website. It’s soundcybersecurity.com. You’re welcome to shoot me an email if they’d like stephen@soundcybersecurity.com. They’re welcome to give me a call if they’d prefer to do that. My number is 866-772-8181.
Gary Stockton: Fantastic. It’s been a real pleasure speaking with you, Stephen. Thanks for sharing so generously with our audience.
Stephen Jordan: You’re welcome. Thank you for having me, Gary.