UK Government Should Publicly “Call Out” Firms with Poor Cybersecurity
A report published by the Cyber Security Research Group and the Policy Institute at King’s College London suggests the UK Government should name and shame companies with poor cybersecurity practices.
Companies with inadequate security practices should be named and shamed, according to a report published this month.
The report suggests that, in order to maintain online safety, companies should be named to prompt them into improving their security practices.
Researchers also advise that businesses and organisations across the UK should adopt measures proposed by the Government, such as the Active Cyber Defence (ACD) programme, developed by the National Cyber Security Centre (NCSC).
Up until now, this programme has only included public sector organisations, however, it is now being rolled out further to improve cyber defence across British industry.
Shaping the Cybersecurity Marketplace
ACD can play a “powerful role” in shaping the cybersecurity marketplace and “furthering the interests of UK internet users and consumers”, according to the report.
If it can be showcased as a means by which to protect end-users in government, commercial industries and other services from cybercrime, then consumers may seek to use organisations that provide ACD by default, it suggests.
“If public trust in a firm or charity derives in part from good cybersecurity, organisations that adopt ACD as a way of improving cybersecurity will benefit; those that do not will suffer,” the report says.
Steps to encourage industry and others to adopt ACD will need to be taken through a ‘sticks and carrots’ approach, the report recommends. However, over time the uptake of ACD by major companies and industry bodies will “assist greatly in this process.”
The report suggests that ‘carrots’ “may not be enough to incentivise private firms to adopt ACD measures or to take necessary remedial actions in good time” and notes that NCSC has considered “calling out” companies who consistently fail to take security – and fraud – seriously.
The report argues that ACD has “significant potential” in helping the UK improve and further develop national cybersecurity.
Already, initial indications suggest that ACD has helped to reduce both the volume and the impact of low-level cybercrime on government agencies and service users. Due to this initial success, the report says the roll-out of ACD beyond the public sector is an achievable goal and could help to shore up cyber defences across British industry.
“There are no significant technical obstacles to extending these protections beyond the public sector and no fundamental reasons why ACD tools and techniques should not be tested and deployed as appropriate,” the report says.
“We propose that firms and other stakeholders engage more actively with government through the NCSC in order to develop further how ACD might be deployed throughout UK networks as a means of countering cybercrime in the UK,” the report adds.
Engagement between non-public sector organisations and the NCSC is critical, the report suggests, to improving cybersecurity moving forward. Some companies and trade bodies are already developing systems that use the technology at the heart of ACD, while others are utilising comparable tech.