Brian Jackson - Fotolia

Name and shame firms with poor cyber security, government told

The government should name and shame companies whose cyber security measures fail to protect consumers’ data and firms should implement Active Cyber Defence, an academic report urges

In the light of the fact that four in 10 businesses experienced a cyber security breach or attack in 2017-18 according to the government’s 2018 data breach survey, the public should be able to see what steps firms are taking to keep users safe online, a report says.

The report, from the Cyber Security Research Group and the Policy Institute at King’s College London, argues that naming companies with poor cyber security will incentivise organisations to improve their defences and help combat cyber crime.

The Cyber Security Research Group at King’s College London promotes research into cyber security by bringing together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science, while the Policy Institute at King’s College London is an independent research institute that works to solve societal challenges with evidence and expertise.

The researchers also recommend that businesses, charities and other organisations adopt measures included in the government’s Active Cyber Defence (ACD) programme developed by the National Cyber Security Centre (NCSC), which has until recently only covered public sector organisations, but is now being rolled out further.

The report argues that the technology at the heart of the ACD programme has led to a significant fall in scam emails from fake government addresses and the removal of thousands of “phishing” sites that pose as government agencies to steal users’ personal information.

“The Active Cyber Defence programme has been a huge success in protecting government agencies and those who use them from cyber threats,” said Tim Stevens, convenor of the Cyber Security Research Group at King’s College London.

“Our research finds that it could be rolled out beyond the public sector legally, cheaply and efficiently to further protect people online,” he said, adding that greater transparency around the level of cyber security employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.

The report concludes that there are no significant technical obstacles to extending ACD tools and techniques beyond the public sector, and that some firms and trade bodies are already developing systems that use this or similar technology.

But it urges non-public sector organisations to engage more actively with the NCSC to deploy ACD and tackle cyber crime in the UK better.

Read more about Active Cyber Defence

However, the researchers recognise potential privacy concerns around the use of government-developed technology outside the public sector, particularly around the ACD “Web Check” tool, which identifies basic vulnerabilities in website design.

To prevent this being seen as the government “scanning” and collecting data on private organisations’ websites, the researchers recommend creating a buffer between the intelligence community and third parties by assigning responsibility for such tools to regulatory authorities in each sector, such as the Charity Commission in the third sector.

According to the report, the ACD programme should be considered a “public good” that delivers cyber security benefits to the population as a whole without members of the public needing to “opt in” for protection online; that the ACD programme can extend the UK’s cyber security influence abroad, providing a model of best practice and helping to shape global cyber security norms; and that the ACD shows great promise in tackling UK cyber crime and should be expanded and given time to mature, although the report makes it clear that the ACD programme alone is not a “silver bullet”.

Read more on Hackers and cybercrime prevention

Data Center
Data Management