A global audit has identified government and healthcare organisations as the weakest links in email security, finding widespread failure to implement basic authentication protocols that guard against impersonation and phishing.
Comparitech's analysis, reported by Security Affairs, reviewed live DNS records for 5,849 domains across 13 industry sectors. Each was scored on its adoption of four key email authentication standards: SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and MTA-STS (Mail Transfer Agent Strict Transport Security).
The results reveal a concerning deficit in two sectors entrusted with protecting sensitive public data. Government and healthcare domains consistently lagged behind other industries, frequently lacking foundational protections like SPF and DMARC — tools specifically designed to verify sender authenticity and block email spoofing.
Without these safeguards, no technical barrier prevents attackers from forging emails that appear to originate from a legitimate hospital or government agency. Such deceptive messages, commonly used to harvest credentials or deliver malware, can directly lead to ransomware incidents, large-scale data breaches, and fraud schemes targeting vulnerable populations.
The findings expose a persistent implementation gap in cybersecurity. While the protocols needed for robust email protection are standardised and often available at no cost, their consistent and correct deployment remains elusive — particularly within public-sector organisations navigating resource constraints and legacy IT infrastructure.
For security professionals, the audit underscores a fundamental challenge. Email remains the primary initial access vector for a vast range of cyber threats, from state-sponsored espionage to financially motivated ransomware. Yet the data indicates that institutions managing critical infrastructure and citizen data are, in many cases, failing to apply essential digital defenses.
The consequences ripple outward from any single compromise. A hijacked healthcare domain could be used to distribute fraudulent prescription notices or expose patient records. A spoofed government address could fuel disinformation campaigns or facilitate large-scale fraud. The research makes clear that IT leaders in these sectors must treat email authentication configuration as a non-negotiable baseline.
Closing the implementation gap demands more than technical awareness. It requires coordinated action — enforceable policy standards, dedicated funding for system upgrades, and clear operational responsibility — to move from knowing these tools exist to deploying them effectively across entire enterprises.
一項全球審計將政府及醫療機構確認為電郵安全的最弱環節,發現普遍存在未能實施防範身份偽造及網絡釣魚攻擊的基本驗證協議。
由Comparitech進行、經Security Affairs報道的這項分析,審查了涵蓋13個行業板塊共5,849個網域的即時DNS記錄。每個網域均就四項關鍵電郵驗證標準進行評分:SPF(寄件者政策框架)、DMARC(基於網域的訊息驗證、報告及合規)、DKIM(網域金鑰識別郵件)及MTA-STS(郵件傳輸代理嚴格傳輸安全)。
結果顯示,兩個被託管保護敏感公共數據的行業存在令人擔憂的缺口。政府及醫療網域持續落後於其他行業,往往缺乏SPF及DMARC等基礎防護措施——這些工具專門用於驗證寄件者身份及阻止電郵偽造。
缺乏這些保障,技術上不存在屏障阻止攻擊者偽造看似來自合法醫院或政府機構的電郵。這類欺騙性訊息常被用於竊取憑證或散佈惡意軟件,可直接導致勒索軟件事件、大規模數據洩露及針對弱勢群體的詐騙計劃。
研究結果揭露網絡安全中持續存在的實施差距。儘管強健電郵防護所需的協議已標準化且通常免費提供,但其持續及正確的部署仍然困難——尤其在面臨資源限制及舊式IT基礎設施的公共部門機構中。
對安全專業人士而言,審計突顯了一項基本挑戰。電郵仍是眾多網絡威脅的主要初始入口載體,從國家支持的間諜活動到以經濟利益為動機的勒索軟件。然而數據顯示,管理關鍵基礎設施及市民數據的機構,在多數情況下未能採用必要的數碼防禦措施。
任何單一入侵的後果都會擴散。被劫持的醫療網域可用於散佈虛假處方通知或洩露病人記錄。偽造的政府地址可能助長虛假資訊運動或促進大規模詐騙。研究明確指出,這些領域的IT主管必須將電郵驗證配置視為不可協商的基線。
彌合實施差距不能僅靠技術認知。它需要協調行動——可強制執行的政策標準、專項系統升級資金及明確運營責任——從知曉這些工具存在到在整個企業中有效部署它們。
