National Cyber Security Centre tells public sector domain owners to improve email security

Written by Rebecca Hill on 8 December 2016 in News

Fewer than five per cent of public sector domains have adopted secure standards for email

High security fence - Image credit: Jobs for Felons Hub via Flickr

Fewer than five per cent of public sector domains have adopted more secure standards for emails to reduce phishing, according to the National Cyber Security Centre (NCSC).

The centre has established a policy of “active cyber security”.

Part of this will be to “make email mean something again” by improving confidence in the authenticity of emails, according to technical director Ian Levy.


Updated UK cyber security strategy to narrow the gap between convenience and security

Managing risk: a roundtable discussion on cybersecurity

MI6 to recruit more staff in face of advances in digital technology

It means cracking down on phishing emails, which spoof a domain name with the aim of stealing a person’s personal and financial details.

“There are simple mitigations that public sector domain owners can put in place to make spoofing much harder,” he said.

This includes adopting a new protocol – domain-based message authentication, reporting and conformance (DMARC) – that alerts the domain owners to the malicious emails and allows them to take back control of their domains.

However, the NCSC said that fewer than five per cent of public sector domains used the protocol, and it outlined work being done by the centre and the Government Digital Service to encourage organisations to implement the protocols.

This includes updating guidance for digital service managers and updating guidance to ensure that all emails are set to the highest DMARC level, known as p=reject.

This means that the email service provider is asked not to deliver the email at all.

Among those organisations using this DMARC setting is HMRC, which last week announced that it had reduced phishing emails by 300 million this year, and expected to be able to block half a million phishing emails each year from now on.

“If an organisation with the scale, complexity and delivery requirements of HMRC can get to p=reject, then we believe that any other public sector organisation should be able to,” the NCSC said. “We look forward to many more organisations following their lead.”

The email security guidance asks public sector organisations to send copies of their reports to the centre, which it will use to track how effective the public sector has been at stopping phishing.

This service is receiving DMARC reports for more than 100 domains, the centre said, adding that it had helped alert many departments of phishing campaigns and misconfigurations on their domains.

The NCSC has previously said it will set up a dashboard of red, amber and green indicators based on the level of email security and that it will publish this so departments can pit themselves against each other.

“In six months the dashboard goes public as an incentive for government departments to take action or face being named and shamed,” Levy told an event in London in October.

The centre has urged anyone managing a UK public sector domain – those ending in, or – to verify their compliance with the standard using a tool developed by the NCSC and GDS called



Related Articles

Cyber security is no longer just about financial and reputational loss
7 March 2017

As the internet of things becomes more common, cyber security is not just about financial and reputational loss, but also physical safety

Old-school criminal gangs breaking up and becoming more tech-savvy, finds NCA
15 May 2019

Law enforcement professionals need the upcoming Spending Review to provide an additional £2.7bn funding per year, according to National Crime Agency director general Lynne Owens

Related Sponsored Articles

Balancing security and digital transformation
24 October 2018

With the annual worldwide cost of cybercrime set to double from $3tn in 2015 to $6tn by 2021, BT offers advice on how chief information security officers can better...

Associate feature: 5 ways IoT is transforming the public sector
5 February 2018

Vodafone explores some of the ways IoT is significantly improving public sector service delivery

Associate feature: Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Share this page