CSC: Many Global 2000 companies susceptible to phishing

A new report has found that domain security is an underutilised security component to curb phishing and related ransomware attacks

The majority of organisations on the Forbes Global 2000 list are vulnerable to attacks on their internet domains due to poor security, according to a study released by CSC.

CSC, a world leader in business, legal, tax, and domain security, has published its annual Domain Security Report: Forbes Global 2000 Companies, which found that despite the shift to modernise business environments and operations, companies’ web domains remain dangerously under-protected.


What did the study find? 

CSC’s research also shows that most Global 2000 companies continue to lag in the adoption of domain security measures. Most notably, 81% of companies are not using registry locks. Other concerning findings include:

  • 70% of homoglyph (fuzzy match) domains, a tactic commonly used in phishing and brand abuse, are owned by third parties
  • 57% of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking

It was revealed that half of the companies surveyed do not use Domain-based Message Authentication, Reporting, and Conformance (DMARC), a protocol used to verify that emails came from a legitimate address. IT software and services companies were the highest adopters, at 74%, followed closely by health care equipment and services, semiconductor manufacturers, and media companies. Construction companies (28%) were the least likely to use the tool.

CSC also found low usage of several other domain protection methods. Only 5% of companies used DNSSEC, a protocol that prevents DNS cache poisoning attacks. The same number used certificate authority authorisation (CAA) records, which designate a separate certificate authority for a company's domains. This stops an attacker from accessing a company's digital certificates if they get control of a domain.

“Basic domain security measures continue to get overlooked because they’re still not considered an essential component to a company’s broader phishing, business email compromise, or ransomware mitigation approach,” said Mark Calandra, president of CSC Digital Brand Services. “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority for companies to stay protected and thwart cyber risk. Otherwise, companies are exposing themselves to significant threats to their cyber security posture, data protection, intellectual property, supply chains, consumer safety, revenue, and reputation.”


Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security