CSC: Many Global 2000 companies susceptible to phishing

The majority of organisations on the Forbes Global 2000 list are vulnerable to attacks on their internet domains due to poor security, according to a study released by CSC.

CSC, a world leader in business, legal, tax, and domain security, has published its annual Domain Security Report: Forbes Global 2000 Companies, which found that despite the shift to modernise business environments and operations, companies’ web domains remain dangerously under-protected.

What did the study find? 

CSC’s research also shows that most Global 2000 companies continue to lag in the adoption of domain security measures. Most notably, 81% of companies are not using registry locks. Other concerning findings include:

• 70% of homoglyph (fuzzy match) domains, a tactic commonly used in phishing and brand abuse, are owned by third parties
• 57% of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking

It was revealed that half of the companies surveyed do not use Domain-based Message Authentication, Reporting, and Conformance (DMARC), a protocol used to verify that emails came from a legitimate address. IT software and services companies were the highest adopters, at 74%, followed closely by health care equipment and services, semiconductor manufacturers, and media companies. Construction companies (28%) were the least likely to use the tool.

CSC also found low usage of several other domain protection methods. Only 5% of companies used DNSSEC, a protocol that prevents DNS cache poisoning attacks. The same number used certificate authority authorisation (CAA) records, which designate a separate certificate authority for a company's domains. This stops an attacker from accessing a company's digital certificates if they get control of a domain.

“Basic domain security measures continue to get overlooked because they’re still not considered an essential component to a company’s broader phishing, business email compromise, or ransomware mitigation approach,” said Mark Calandra, president of CSC Digital Brand Services. “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority for companies to stay protected and thwart cyber risk. Otherwise, companies are exposing themselves to significant threats to their cyber security posture, data protection, intellectual property, supply chains, consumer safety, revenue, and reputation.”