No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

New Threat Jeopardizes GDPR Compliance

Using DMARC to Fight Phishing and Boost Security

by Seth Blank
February 8, 2021
in Cybersecurity, Featured
phishing concept: fish hook with security locks on white background

Email phishing is at its highest level in three years, and one of the latest lines of attack capitalizes on the strict rules of GDPR, targeting executives and public-facing emails at businesses. Valimail’s Seth Blank examines how to protect your organization.

While much has changed over the past year, some things have stayed the same. New email security threats now commingle with the old. Case in point: the fake GDPR phishing campaign discovered late last summer. Phishers targeted organizations across multiple verticals with a fake compliance reminder about the European Union’s GDPR, with the campaign using the GDPR’s strict rules and fear of noncompliance to lure business executives into turning over their email login credentials.

GDPR has been a perfect storm for the compliance and security fields — and the perfect opportunity for hackers. The EU’s implementation of the GDPR in May 2018 strengthened privacy rights and underscored the need for consent when data is shared. The EU aimed to protect the “personal data” of its citizens and residents with the GDPR. It is a vast understatement to say that there is a lot to unpack within the law. The piece hackers find the most enticing, though, is email. Under the law, email addresses and content are considered “personally identifiable information” (PII). Given email’s pervasive reach, safeguarding it under the new GDPR quickly became a global issue — not just an EU one. Phishing scams popped up almost right away. Organizations became all too aware that their email practices could — even unintentionally — lead to massive fines.

The Complexity of GDPR

Now almost three years into the law, it’s safe to say that many on the compliance side view the GDPR as ambiguous at best, and (more often, if they’re honest) a complete mess. The rub lies at the intersection of the law and technology — not the intent — because digital and privacy don’t overlap cleanly. Technology moves at the speed of light, but government and law are designed to be slow and deliberative. As a result, it’s nearly impossible to segment a law like the GDPR in a way that scales across different geographies and different types and sizes of companies and further advances in technology. Aspirationally, the notion of consent in today’s digital world is essential, and protecting consumers’ private information is paramount. Practically and technologically speaking, however, the devil is in the details, and these ideas are much trickier than the GDPR set them out to be.

What does the GDPR even mean for compliance and security? The definitions are seemingly fluid. While privacy professionals participated in the creation of the law, communicating the conditions and requirements of GDPR compliance has proven more challenging in practice. For example, a clear definition is lacking on what “anonymous” means. Under the GDPR, anonymous data is not treated as personal data. But it is complicated to prove that data is truly anonymous. For instance, age alone is not a unique identifier, but the combination of demographics like age, gender or address could allow for identification. Another problem is that the GDPR’s many protections also let criminals cover their tracks, with few exceptions made for security teams’ needs.

The law’s level of specificity needs to change; things need to be defined more clearly. There’s too much uncertainty at the moment. So compliance professionals are understandably confused — and cautious — about the GDPR’s impact. With no end to the confusion in sight, compliance professionals are left questioning where the lines are and which practices and technologies are legitimate. Organizations are justifiably nervous and fearful of finding themselves on the wrong side of the GDPR.

Control the Controllable

Unfortunately, there is no silver bullet for GDPR compliance. But compliance professionals can and should control what’s controllable on their end. To manage and protect PII appropriately, organizations can start by looking at the services that send email on their behalf and ensuring that data processing agreements (DPAs) — a requirement of the GDPR — are in place for all of them. They can also employ a solution that locks down corporate-owned domains from unauthorized use. This is where DMARC (domain-based message authentication, reporting and conformance) shines.

DMARC is an email authentication tool and reporting protocol that protects an organization’s domains, brands and employees. The Global Cyber Alliance (GCA) touts it as the first and only widely deployed email security technology that helps to protect both customers and domain owners. According to GCA research, organizations that deploy DMARC on a single domain could realize up to a 35-fold return on their investment.

DMARC also provides critical insights that help to authenticate the source of the email. First, DMARC gives organizations visibility into who is sending email from their company domains. As a compliance professional, shouldn’t you know which companies and cloud services can send email on your company’s behalf?

Equally important, DMARC’s visibility provides data that can be used to manage and control their DPAs to stay GDPR-compliant. With DMARC, a company can enforce a rule that only those services that have signed DPAs can send email from the company’s domain.

Connecting the Puzzle Pieces

It’s important to note that DMARC only solves the issue of exact-domain impersonation (also known as domain spoofing) and, as a result, is just one piece of the GDPR compliance puzzle that organizations should be piecing together. But it sure is an important one. After all, phishing attacks are usually the weapon of choice for cybercriminals. Phishing data illustrates the scope of the problem:

  • 91 percent of all cyberattacks begin with a phishing email to an unexpected victim.
  • 68 percent of the phishing emails Gmail sees on any given day are wholly new and have never been seen before, according to a presentation from Google at Black Hat USA.

Further, the quick and targeted nature of email phishing illustrates how fast hackers move and change. Two other striking details emerge from that Google Black Hat USA presentation:

  • The average boutique phishing campaign lasts only seven minutes.
  • The average bulk phishing campaign lasts only 13 hours, equating to about 170 emails.

Cybercriminals always look for the easiest way in. If DMARC is in place and enforced for a particular domain, attackers are forced to either use other more complicated and time-consuming impersonation techniques or pick a different target. Research has shown that companies without DMARC have almost four times the volume of malicious email sent in their name.

Additional steps can provide even more protection. For example, implementing multi-factor authentication (MFA) is one of the most effective ways to lock down account access and protect your organization against account takeover attacks. Even if a phishing attack is successful, MFA can prevent attackers from using the stolen credentials to access protected systems. Is MFA bulletproof? No. But MFA combined with DMARC and other protections can substantially boost an organization’s security and its GDPR compliance.

The importance of DMARC as a GDPR puzzle piece is illustrated in the magnitude of benefits it offers organizations. Not only do compliance professionals get a catalog of services that help to ensure GDPR compliance, they also prevent their domains from sending fake GDPR notices to executives, employees and consumers.

Long Road Ahead

Compliance professionals have a long road ahead with GDPR. The law will continue to evolve over the next decade as litigation unfolds. Hackers will also continue to exploit that uncertainty, almost certainly ensuring more GDPR-themed phishing campaigns to come.

There is good news: Compliance professionals looking to cover a significant portion of the cyber risk in their roles — and protect their organizations from fear-fueled campaigns — have proven, readily available solutions available, including DMARC and MFA. Together, they can go a long way toward reducing the uncertainty around GDPR and the risk of noncompliance.


Tags: CybercrimeGDPR
Previous Post

Boeing Fraud Enforcement Action

Next Post

Compliance, Culture and COVID

Seth Blank

Seth Blank

Seth Blank is Vice President of Standards and New Technologies at Valimail. Seth is a serial entrepreneur and startup executive with multiple acquisitions under his belt. He brings 20 years of experience in building successful teams and scalable, profitable technologies. Seth is the current co-chair of the IETF DMARC Working Group, co-chair of the M3AAWG Technical Committee and chair of the AuthIndicators Working Group developing BIMI.

Related Posts

matrix numbers cybersecurity concept

Why Scalable Global Frameworks Like ISO 27001 Matter

by Sam Peters
May 29, 2025

Updated security standard addresses modern threats with expanded digital protections

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

Next Post
mini businessmen separated by COVID particles

Compliance, Culture and COVID

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights