The UK government should name and shame companies whose cyber security measures fail to protect consumers’ data, according to a new report from King’s College London’s Cyber Security Research Group, which promotes research into cyber security, and the Policy Institute, an independent research institution which works to solve societal challenges with evidence.
The report, called UK Active Cyber Defence: A public good for the private sector, argued that publishing details of companies that are not taking steps to keep users safe online, would incentivise businesses to improve their defences and help combat cyber crime such as online fraud and identity theft. It comes on the back of the Ipsos MORI Cyber Security Breaches Survey 2018, which found than four in 10 businesses experienced a cyber security breach or attack in 2017-18.
King’s College London wants businesses, charities and other organizations to adopt measures included in the government’s Active Cyber Defence (ACD) programme, which has up until now only covered public sector organizations. The university claims that the technology at the heart of the programme has led to a significant fall in scam emails from fake government addresses and the removal of thousands of phishing sites which pose as government agencies to steal users’ personal information.
“Our research finds that ACD could be legally cheaply and efficiently rolled out beyond the public sector, to further protect people online,” said Dr Tim Stevens, convenor of the Cyber Security Research Group at King’s College London.
“The UK case study suggests that a relatively minimal investment in ACD might help raise the bar of cybersecurity across the board – although some firms and organizations will inevitably be left behind,” he added.
Stevens said that for those unable to invest, guidance would be made available by the government’s National Cyber Security Centre (NCSC) and other agencies.
“Those unwilling to invest may find their customers moving to more cyber-secure competitors. Those that knowingly harbour cyber-criminality or fail to promote safe cybersecurity practices may find themselves identified publicly,” he said.
“This happens already, when data breaches are revealed in the press for instance. NCSC has suggested there may be a future need to name and shame persistent offenders but how that would work has not ben articulated. No one really wants to have to do this, the hope is that organizations will want to pursue better cyber security anyway,” he added.