global cyber alliance (GCA)
branded story
Protecting the Global Economy Against Cyber Threats

n its latest Global Risks Report, the World Economic Forum includes cyber-attack as one of the biggest threats facing our world in 2019. Some studies estimate that cybercrime costs the global economy as much as $600 billion1. The issues have never been more complex and the need for action more critical.

The Global Cyber Alliance (GCA), a nonprofit organization, is working to address these issues. Founded by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security, GCA is dedicated to eradicating cyber risk and improving our connected world by bringing free cybersecurity solutions to the world.

GCA’s initial efforts have been focused on reducing the risk of phishing as it remains one of the biggest risks – from delivery of malware and ransomware to the gathering of sensitive data to commit fraud. In fact, multiple studies show that over 90% of breaches begin with an email. GCA has developed a platform to enable easier implementation of an existing email authentication protocol known as DMARC and has built a global service known as Quad9 that prevents access to known malicious websites. Most recently, GCA has set its sites on making these and other tools more accessible to small and medium-sized business.

GCA’s initial efforts have been focused on reducing the risk of phishing as it remains one of the biggest risks – from delivery of malware and ransomware to the gathering of sensitive data to commit fraud.
GCA Cybersecurity Toolkit Logo
Small and medium-sized business (SMBs) are some of the most vulnerable entities when it comes to cyber-attacks. Some estimates indicate that 58 percent of cyber-attacks are targeted against small businesses2. These attacks include phishing, malware, ransomware and more – all of which can have devastating financial consequences. According to the OECD3:

  • Small businesses account for 99% of businesses globally including businesses in the EU, UK and US.
  • Small businesses account for, on average, about 70% of jobs.
  • Small businesses generate more than half the of the value added by most economies.

Small businesses remain some of the most vulnerable to cyber-attack, because they often don’t have the resources or knowledge needed to protect themselves. Yet, small businesses are part of the supply chain for government and enterprise, they provide critical services, and provide the vast majority of jobs. The potential for harm doesn’t just stop with a business that has had a cyber event. Small businesses need operational tools and guidance that can can be implemented with relative ease to reduce their risk. Resourcing small businesses with tools to reduce their cyber risk strengthens their individual businesses and helps to reduce the third-party and supply-chain risk for larger companies and governments.

To this end GCA, in collaboration with our partners, developed the GCA Cybersecurity Toolkit for Small Business, a free, operational resource that small businesses can use to significantly reduce their cyber risk. The GCA Cybersecurity Toolkit for Small Business, sponsored by Mastercard, is aligned with the leading cybersecurity recommendations from the Center for Internet Security Controls (CIS), the United Kingdom’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC). All of the tools included in the toolkit are free and have been tested and evaluated by a team of cybersecurity experts to ensure they work and can be used by those who are not technical experts.

What’s in the GCA Cybersecurity Toolkit?
The toolkit is broken down into six toolboxes of basic areas of risk to be addressed. Within each toolbox are tools and reference materials to help educate and provide guidance. The goal is to make it as easy as possible for small businesses to understand the risks and select the right tools.

The first version of the toolkit features more than two-dozen tools and resources that help small businesses implement best practices in the following categories:

  • Know What You Have (inventory of devices and applications)
  • Update Your Defenses (updates, patches and vulnerability management)
  • Beyond Simple Passwords (passwords and two-factor authentication)
  • Prevent Phishing and Viruses (DNS security, anti-virus and ad blockers)
  • Protect Your Brand (email authentication and brand monitoring)
  • Defend Against Ransomware (create backups)

Entities can follow step-by-step guidance found in the toolboxes, and users can rate the tools and provide other input that will inform future development of the toolkit to ensure it continues to meet SMBs needs.

Domain-based Message Authentication, Reporting and Conformance
Now for a look at a few of the other projects GCA has been working on. As mentioned earlier, GCA has been working on supporting the email authentication protocol known as DMARC – which stands for Domain-based Message Authentication, Reporting and Conformance. Basically, it verifies that an email is authorized to be sent from the domain being used (the part of the email address after the “@”), preventing the type of email phishing known as direct domain spoofing, which can be extremely difficult to detect. To that end, DMARC has an additional benefit of ensuring delivery of the sender’s email, keeping it out of the junk or spam folder.
Dmarc Logo
DMARC was founded by some of the most highly phished brands in 2012. Fed up and frustrated by the problem of having their email domains used for fraudulent purposes, they took action. In a collaborative effort, the DMARC protocols were developed and made available for all to use. As of this day, the majority of consumer email is already protected by DMARC.

GCA discovered, however, that despite the tremendous benefits of DMARC, there was not broad adoption by government and the private sector. We addressed this issue in two ways: 1) Creating an online tool to walk people through the implementation process supported by a library of education resources; and 2) Evangelizing DMARC to the world and encouraging broad adoption. The GCA DMARC Setup Guide, available at is available in 18 languages and has been used by thousands.

GCA Cybersecurity Toolkit
Since beginning work on DMARC, there has been growing international support. In June 2016, the UK government mandated that all UK government departments implement DMARC. The US government followed suit in 2017 with a similar mandate, and the Netherlands has come on board as well. The majority of large banks have implemented DMARC, and adoption campaigns are underway in a number of other sectors. Most recently, the Cybersecurity Tech Accord, a coalition of more than 80 global technology companies committed to improving cyberspace through collective action, has committed to the adoption of DMARC.
Investment in cybersecurity is smart business. Whatever your status – whether a large corporation, government entity, non-governmental organization – chances are your stakeholders are small businesses.
Some have questioned the return on investment of implementing DMARC, so GCA did some research into the economic benefits of DMARC. It was not easy, as there is a dearth of data available, but an approach was found in looking at just one of the problems that DMARC helps reduce: Business Email Compromise (BEC). GCA found there is in fact a significant return on investment to companies that deploy it. The report, The Economic Benefits of DMARC Adoption, released in late 2018, shows the 1,046 domains that have implemented DMARC at quarantine or reject using GCA’s DMARC Setup Guide will save an estimated $19 million to $66 million dollars by limiting BEC for the year of 2018 alone. These organizations will continue to reap that reward every year in which they maintain the deployment of DMARC. If these 1,046 domains maintain DMARC for 5 years, the cumulative savings is likely to exceed $100 million.
Quad9 Logo
Quad9 is the other major initiative that GCA has undertaken. Quad9 is a free, global DNS service that provides Internet security and privacy by preventing the end user from accessing malicious web domains. Built in collaboration with IBM and Packet Clearing House (PCH), Quad9 is a globally distributed service that is free for anyone to use – it takes less than a minute to set up, a quick change to the DNS settings on a computer or other device. The protection afforded is immediate. Anyone and any organization is welcome to use Quad9. Learn more about Quad, including set-up information, at

Investment in cybersecurity is smart business. Whatever your status – whether a large corporation, government entity, non-governmental organization – chances are your stakeholders are small businesses. They may be your vendors, clients or partners. Improving your partners’ security will reduce your risk, cut your costs, and contribute to strengthening the security of our global economy.

To access the DMARC Setup Guide, Cybersecurity Toolkit for Small Businesses and all of GCA’s free resources, visit us at