Over 40% of essential services companies remain vulnerable to phishing

A new analysis by Red Sift of 840 companies across the chemical, energy, and water and waste sectors reveals a concerning gap in email security adoption, with 42% still unprotected against sophisticated email threats.

As critical infrastructure providers face mounting pressure from regulators and increasingly sophisticated cyber threats, the data shows that many essential services companies have yet to implement basic email authentication protocols that could prevent devastating attacks.

Our analysis examined 840 companies across three vital sectors, evaluating their implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance), a fundamental email authentication protocol that prevents domain spoofing and phishing attacks.

The findings reveal that while 58% of companies have achieved DMARC enforcement (p=reject or p=quarantine policies), a significant 42% remain unprotected with either no policy in place or monitoring-only configurations.

Overall statistics:

• 112 companies (13%) have no DMARC policy whatsoever
• 244 companies (29%) are in monitoring mode (p=none)
• 198 companies (24%) have implemented quarantine policies
• 286 companies (34%) have full enforcement with reject policies

This means that 356 companies, representing 42% of those analysed, are leaving themselves exposed to email-based attacks that could compromise operations, customer trust, and regulatory compliance.

The energy sector demonstrates the strongest email security posture of the three sectors analysed.

Key statistics:

• 274 companies examined
• Only 6% (17 companies) have no DMARC policy
• 26% (72 companies) remain in monitoring mode
• 23% (63 companies) have achieved some level of protection
• 44.5% have achieved full enforcement (122 at reject)

The energy sector's relatively strong performance likely reflects heightened awareness following high-profile attacks on critical infrastructure. However, the 32% still unprotected represents a significant vulnerability, particularly given the sector's role in national security and economic stability.

Energy companies face constant threats from nation-state actors and cybercriminals seeking to disrupt supply chains or steal sensitive operational data. Without proper email authentication, these organisations remain vulnerable to Business Email Compromise (BEC), supplier impersonation, and credential harvesting attacks.

The chemical industry shows more concerning gaps in email security adoption.

Key statistics:

• 266 companies examined
• 14% (36 companies) have no DMARC policy
• 28% (75 companies) remain in monitoring mode
• 22.6% (60 companies) have achieved some protection
• Only 35.7% have achieved full enforcement (95 at reject)

The chemical sector's 42% unprotected rate is particularly worrying given the sensitive nature of the industry. Chemical companies handle hazardous materials, maintain complex supply chains, and operate facilities where security breaches could have catastrophic consequences.

Email remains a primary attack vector for industrial espionage, with competitors and hostile actors seeking formulas, manufacturing processes, and customer lists. The lack of DMARC enforcement leaves these companies vulnerable to sophisticated impersonation attacks that could compromise intellectual property or disrupt operations.

The water and waste sector shows the most significant security gaps, with the lowest enforcement rate across all sectors analysed.

Key statistics:

• 300 companies examined
• 20% (59 companies) have no DMARC policy
• 32% (97 companies) remain in monitoring mode
• 25% (75 companies) have achieved some level of protection
• Only 23% have achieved full enforcement (69 at reject)

This means that 52% of water and waste companies remain unprotected, the highest vulnerability rate of any sector examined.

This finding is particularly concerning given the critical nature of water infrastructure. Water and wastewater treatment facilities are considered essential services, with attacks potentially affecting public health, environmental safety, and community wellbeing.

The sector has increasingly become a target for ransomware attacks and operational disruption. Recent years have seen multiple incidents where attackers gained access to water treatment systems, potentially compromising water quality controls. Email remains the most common initial access vector for these attacks.

The 42% unprotected rate across these sectors represents more than just a technical gap. It's a critical vulnerability in infrastructure that society depends on daily.

Essential services companies face increasing regulatory scrutiny around cybersecurity:

• NIS2 Directive: European regulations now mandate specific cybersecurity measures for critical infrastructure
• CISA Guidelines: US agencies have issued binding operational directives requiring email authentication
• Sector-specific requirements: Energy, water, and chemical facilities face industry-specific compliance obligations

Companies without proper email authentication may find themselves non-compliant with emerging regulations, facing potential fines and increased oversight.

Email-based attacks on essential services can have far-reaching consequences:

• Operational disruption: Ransomware or system compromise can shut down critical operations
• Supply chain impact: Compromised communications can disrupt logistics and supplier relationships
• Public safety risks: Attacks on water or chemical facilities could threaten public health
• Financial losses: BEC attacks have cost individual companies millions in fraudulent transfers
• Reputational damage: Security breaches erode customer and public trust

While DMARC is often positioned as a brand protection tool, for essential services companies it's fundamentally about operational security. Email remains the primary attack vector for initial access, with attackers using sophisticated impersonation techniques to:

• Trick employees into revealing credentials
• Authorise fraudulent payments or transfers
• Install malware that provides persistent access
• Gather intelligence for more targeted attacks

Without DMARC enforcement, attackers can easily spoof legitimate domains, making phishing emails virtually indistinguishable from genuine communications.

The good news is that 58% of companies have already implemented DMARC enforcement, proving that deployment is achievable even for complex organisations with diverse email flows.

For the 42% still unprotected, the path forward involves:

1. Immediate assessment: Understanding current email authentication status and identifying all legitimate email sources
2. Gradual implementation: Moving from no policy to monitoring (p=none) to begin gathering data
3. Source validation: Ensuring all legitimate email sources are properly authenticated
4. Progressive enforcement: Moving to quarantine (p=quarantine) and finally full enforcement (p=reject)
5. Ongoing monitoring: Maintaining visibility into email authentication results and potential threats

The analysis reveals a sector-wide vulnerability that requires urgent attention. With 42% of essential services companies remaining unprotected against email-based attacks, the risk extends beyond individual organisations to the critical infrastructure that society depends upon.

For essential services providers, the message is clear: email security isn't just about protecting your brand, it's about protecting the critical services you provide and the communities you serve.

Want to understand your organisation's email security posture? Red Sift OnDMARC provides the visibility and tools you need to achieve DMARC enforcement and protect against email-based threats.