CSC: Many Global 2000 companies susceptible to phishing

Share
A new report has found that domain security is an underutilised security component to curb phishing and related ransomware attacks

The majority of organisations on the Forbes Global 2000 list are vulnerable to attacks on their internet domains due to poor security, according to a study released by CSC.

CSC, a world leader in business, legal, tax, and domain security, has published its annual Domain Security Report: Forbes Global 2000 Companies, which found that despite the shift to modernise business environments and operations, companies’ web domains remain dangerously under-protected.

 

What did the study find? 

CSC’s research also shows that most Global 2000 companies continue to lag in the adoption of domain security measures. Most notably, 81% of companies are not using registry locks. Other concerning findings include:

  • 70% of homoglyph (fuzzy match) domains, a tactic commonly used in phishing and brand abuse, are owned by third parties
  • 57% of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking

It was revealed that half of the companies surveyed do not use Domain-based Message Authentication, Reporting, and Conformance (DMARC), a protocol used to verify that emails came from a legitimate address. IT software and services companies were the highest adopters, at 74%, followed closely by health care equipment and services, semiconductor manufacturers, and media companies. Construction companies (28%) were the least likely to use the tool.

CSC also found low usage of several other domain protection methods. Only 5% of companies used DNSSEC, a protocol that prevents DNS cache poisoning attacks. The same number used certificate authority authorisation (CAA) records, which designate a separate certificate authority for a company's domains. This stops an attacker from accessing a company's digital certificates if they get control of a domain.

“Basic domain security measures continue to get overlooked because they’re still not considered an essential component to a company’s broader phishing, business email compromise, or ransomware mitigation approach,” said Mark Calandra, president of CSC Digital Brand Services. “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority for companies to stay protected and thwart cyber risk. Otherwise, companies are exposing themselves to significant threats to their cyber security posture, data protection, intellectual property, supply chains, consumer safety, revenue, and reputation.”

Share

Featured Articles

Why the UK’s Financial Authority Has Issued a Cyber Decree

The UK’s Financial Conduct Authority (FCA) has issued a cyber directive to financial firms following the CrowdStrike IT outage

Sustainability Secured: SolarEdge Devices Cyber Certified

SolarEdge has shown initiative to securing sustainability endeavours by getting certification for its products ahead of incoming mandatory requirements

Kyndryl and AWS: The Cyber Issues Facing the Energy Sector

Kyndryl and AWS survey highlights the cybersecurity readiness gap in energy enterprises, with oil & gas organisations among the top groups at risk

Customer Confidence: Hiscox Reveals Growing Cost of Attacks

Cyber Security

Supply Chain Security: Why Is It Key for the Energy Sector?

Cyber Security

Top 10 OT Platforms

Operational Security