Most cybersecurity vendors have yet to adopt basic email security controls to protect their customers from third-party risk.

That’s according to an assessment of 205 security vendors by email security provider Agari at this week’s Gartner Security & Risk Management Summit.

Armen Najarian, Agari’s CMO, tells us the assessment is a “real wake-up call” to the cybersecurity industry as many vendors are exposing their customers and as well as their own employees to unnecessary risks delivered via email.

Agari’s Armen Najarian

“The most surprising finding really is the deafening silence from the majority of affected vendors we evaluated,” he said. “It is symptomatic of the problem not being taken seriously enough and a nod toward status-quo thinking. It seems to reflect a ‘not broken, don’t fix’ attitude. We’re trying to point out here that legacy email security is somewhat inadequate for the modern risks we are all facing. The secure email gateway (SEG) needs help, as do the new cloud email platforms. Even better if that help is easy to implement and cost-effective.”

Vendors should have their domain-based message authentication, reporting and conformance (DMARC) policy set at reject, ensuring that unauthenticated emails will not be delivered to the inbox. Only 10 percent of the vendors assessed are at reject, which indicates the remaining companies are at great risk of brand impersonation attacks, according to Agari.

Some 11% are at quarantine, which allows unauthenticated or potentially bad emails from fraudsters to penetrate an individual or company email, landing in the spam folder.

And 78% have no DMARC record at all, which means their companies are highly vulnerable to brand domain abuse, putting their customers, employees and executives at risk unnecessarily.

“This is a credibility issue that vendors may not even be aware they have,” Najarian said. “These security companies every day ask customers to trust their security technology, yet the vendors themselves are not protecting their own companies. So a vendor that has essential email authentication controls in place is definitely going to have an advantage in the hotly competitive security and risk market. It allows vendors the ability to demonstrate their own expertise, while trying to close new deals. We’re seeing DMARC implementation as a listed control in security reviews for third-party vendors by more and more companies and government agencies.”

Also during the Gartner summit, Valimail, an email security provider and Agari competitor, announced a $45 million Series C investment from Insight Partners. Combined with previous investments, Valimail now has raised $84 million in funding since its founding in 2015.

“Phishing and business email compromise (BEC) attacks are on the rise around the world and the losses have mounted into the billions,” said Thomas Kane, Insight vice president. “It’s clear that other email security technologies have not solved this urgent global problem. Valimail’s trust layer represents a fundamentally better approach to solving this crisis of fake sender identities. What’s more, Valimail’s exceptional customer loyalty is a vivid confirmation of their capabilities. We’re excited to partner with Valimail as they accelerate their global expansion.”

Valimail recently expanded its network of VARs, SIs and email security vendors, including a global partnership with Symantec, which is now selling a joint email authentication solution to customers globally. Valimail also partnered with Microsoft to provide an email visibility product to Microsoft Office 365 customers.