Clients demand DMARC is set to reject

But outside the top ten, few law firms have fully implemented the email accreditation
Clients are increasingly demanding that law firms have fully implemented email authentication protocol DMARC before they send them instructions.
DMARC is a protective barrier for a firm’s email correspondence, sheltering staff and clients from the most common form of cyberattack, phishing.
While no cyber solution is a silver bullet, DMARC is a global industry standard widely recognised as essential to protecting an organisation’s email, brand and reputation.  It does this by preventing third parties from impersonating email domains.
It is estimated that 6.4 billion spoofed messages are sent every day, according to email security company Valimail.  And 15 per cent of all business email compromise (“BEC”) attacks involve exact domain spoofing.
Maximising use of DMARC might appear, therefore, to be a “no-brainer”.  But successful implementation can take time.  If firms go straight to a full “reject” policy, legitimate mail will be lost.  It is necessary first to monitor traffic, looking for deviations in reports, then move to quarantine mode, analysing results in spam catch and DMARC reports.  Only then can firms confidently progress to “reject”.
Reject or be rejected
Government bodies in both the UK and US, as well as a number of financial institutions and major corporates, understood to include Lloyds, are ramping up the pressure, however, by telling law firms they must reach “reject” or risk losing their business.
“Since DMARC’s inclusion in the British Minimum Cyber Security Standard, the frequency that we’re seeing clients include DMARC compliancy as part of their information security auditing is astounding,” says Joseph Hedegaard-Ganly, information security adviser at Saepio.  “With the FTSE 100 stepping up their supply chain security, law firms are increasingly the first to be asked to reach policy level reject, the highest level of DMARC.”
“A number of top UK financial institutions have requested their legal partners implement DMARC in a bid to secure their supply chain,” adds Dr Rois Ni Thuama, head of cyber security governance at Red Sift.  “Organisations are waking up to the reality that while their own digital infrastructures are well defended, the threat is still lurking on the periphery due to a weakness in the cyber defences of third-party suppliers – in many cases, the law firm.”
Furthermore, Ni Thuama believes it is only logical that other corporates will follow suit in demanding DMARC of their suppliers.
“If DMARC is one of the Minimum Cyber Security Standards required by the British Government of all departments and their contractors, surely all organisations operating in the UK should follow suit and not only implement these defences to protect their own clients, but also mandate that the organisations in their supply chain also adhere to this fundamental cybersecurity standard.”
Slow progress
Both Saepio and Red Sift have been monitoring DMARC uptake amongst law firms.  When Red Sift first conducted its survey in August 2017, only one firm had full protection in place, revealing critical vulnerability for the remaining firms and representing an open-door opportunity for scammers.
“Twenty months on, 10 additional firms have implemented DMARC at full protection – clearly in response to increasing pressure from clients, suppliers and government,” says Ni Thuama.
But while firms including DLA Piper, Hogan Lovells, Linklaters, Norton Rose, CMS, Herbert Smith Freehills and Eversheds Sutherland have all reached “reject” status, many other firms have yet to progress beyond “report”, putting them at risk of losing clients.
“Reputation is not a new concept to law firms, but the reputation of one’s domain has previously not been seen as an area of consideration,” says Hedegaard-Ganly.  “The race to reach reject is not a box-ticking exercise, but rather the result of firms getting visibility into what use of their domain is taking place through reports.  There’s little doubt that, by this time next year, the percentage of the top 100 in reject will be significantly higher.”
An alternative view 
Martin Smith, founder of the Security Awareness Special Interest Group, believes that while DMARC is an important tool, it is only a small part of the solution
“DMARC and a host of other technical and procedural tools are all hugely helpful in securing the online B2B environment.  I would always encourage their implementation but within an overall cybersecurity strategy.  Context is everything – simply demanding that a supplier implements tools such as DMARC will do nothing on its own to improve data security and privacy: it just becomes another barrier to doing business, another point solution/sticking plaster, another box to tick, another cost overhead that will quickly degrade in usefulness.
“History is littered with solutions that make people feel warm for a while.  The Government’s own schemes such as the excellent Cyber Essentials, where Departments insist that suppliers comply before they can do any public sector business with them, remains massively under-subscribed; even then, whilst gaining accreditation shows a degree of conscientiousness in achieving at least some basic levels of security, it’s really only like a car’s MoT: as good as the day it’s issued and the garage that issued it but with no subsequent guarantee to roadworthiness until next year’s test.
“Cybersecurity requires a commitment at all levels within law firms from the board member to the filing clerk, and needs to be applied across the whole of the organisation’s technology, processes and people.  Paying lip service, especially when overseeing suppliers, is counterproductive, it gives a false sense of security to both sides.  Issuing arbitrary stipulations in isolation, such as “requiring their supply chains use DMARC in order to work with them”, is an important but only very small part of the answer.”
Amy Carroll