‘84% of local authorities in England lack adequate cyber defences’

A new study by cloud data intelligence company OnDMARC into local government authorities’ cyber security defences across England has revealed a startling lack of protection against email fraud, leaving millions of citizens exposed to the threat of phishing attacks.

152 local authority domains across the country were analysed to assess whether they had implemented DMARC, the government-backed protocol for securing email systems against phishing attacks.

The study showed that just one council in the North West had taken adequate steps to secure its domain against email impersonation, while in the East Midlands, London and the North East, just 11%, 15% and 17% respectively, demonstrated adequate security protection.

>See also: UK firms could face fines of £122 billion in 2018

The research highlights that many councils are failing to meet government recommendations, despite The National Cyber Security Centre announcing new local authority security guidelines in 2016, stating that “Widespread adoption of the DMARC protocol is essential to defend against targeted cyber threats.”

10 largest authorities in England without DMARC protection against email spoofing

1. Birmingham City Council
2. Sheffield City Council
3. Cornwall County Council
4. Manchester City Council
5. Liverpool City Council
6. Bristol City Council
7. London Borough of Barnet
8. London Borough of Croydon
9. Leicester City Council
10. Ealing Council

As a result of industry-wide collaboration, the DMARC (domain-based message authentication, reporting and conformance) standard is globally acknowledged as the only way to guarantee the legitimacy of an email’s ‘from’ address.

Without DMARC, scammers are able to spoof a council’s email address and send messages to the public requesting council tax payments, or to disclose confidential information, and there is no way for the receiver to easily detect that the sender is legitimate.

>See also: UK and India to collaborate on cyber security

With email the most popular method of malware delivery, and 76% of organisations reporting phishing attacks last year, sender fraud is proving a critical issue for public sector IT teams.

“Without DMARC, local authorities’ email domains can easily be spoofed by criminals,” said Randal Pinto, COO and co-founder, OnDMARC. “What this means for residents of some of England’s largest cities – including Birmingham, Liverpool and Bristol – is that they’re being put at risk of receiving fraudulent emails and thus falling victim to data or financial theft. Whether you’re dealing with residents of the smallest local authority in the Isles of Scilly or Barnet, the largest borough of London, local authorities have an obligation to ensure their citizens aren’t a target for phishing attacks from spoofed government email addresses.”

“While a handful of councils have taken steps to secure their domains, more authorities need to heed the advice of GCHQ’s security arm by deploying DMARC. HMRC has reported that 300 million phishing emails have already been blocked following DMARC deployment, keeping taxpayers secure from the threat of phishing attacks,” continued Pinto.


The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security