Halloween, with its creepy costumes and excessive confections, is around the corner, so we took a look at DMARC adoption among the world’s top 100 candy manufacturers based on net sales.

The results were, well, chilling.

  • 62% had no DMARC record
  • 23% had a DMARC record with a p=none policy
  • 9% had a DMARC record with a p=reject policy
  • 6% had a DMARC record with a p=quarantine policy

Phishing continues to be the top cybersecurity threat for organizations, and even the Willy Wonkas of the world aren’t exempt. Like them or not, the tri-colored Candy Corn treat was the target earlier this month. Chicago’s Ferrara Candy Company, the largest maker of Candy Corn, was hit with a ransomware attack that interfered with production.

Though Ferrara’s parent company, Ferrero, has its domains locked down with DMARC, Ferrara’s DMARC record was only at p=none. While this policy is used for monitoring a domain’s use across the internet, it doesn’t stop bad actors from sending spoofed emails from the domain. We’re not sure how the cybercriminals accessed Ferrara’s IT network, but not having a DMARC record at p=quarantine or p=reject is a sign of less-than-adequate security measures. Cybercriminals employ phishing in the form of email domain spoofing and brand impersonation for business email compromise and ransomware attacks, among others.

When deploying DMARC, it’s best to roll it out across all of an organization’s domains, including parked domains, instead of focusing on individual domains. When DMARC is deployed at an organization across the entire domain portfolio, the process of deployment itself becomes much easier as there is complete organizational visibility, and managers get new tools to ensure all email is being sent in compliance with the organization’s standards.

Cybersecurity is an ever-evolving challenge for organizations large and small. There’s no one all-encompassing solution to address all elements in the threat landscape, so a layered approach is necessary. With such an approach, you can ensure that your defense controls and procedures are complementary and cover your organization’s systems and assets. DMARC is the email security bedrock that provides visibility into your domain use and lets you control who and what sends email on behalf of your domains.

The good news for Candy Corn lovers across the world: Ferrera was able to contain the attack and resume production, so you should be able to get all the Candy Corn you need.

Take a look at DMARC adoption rates for other sectors

dmarcian has helped purveyors achieve DMARC compliance with a p=reject policy. With a team of security experts and a mission of making email and the internet less spooky through domain security, we’re here to help people implement and manage DMARC for the long haul.

Get in touch with us or give our DMARC Management Platform a complimentary test run. Our onboarding and support team will help you along the way.

Want to continue the conversation? Head over to the dmarcian Forum