Naming and shaming of companies with poor cyber security
29th January 2019
A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested the government could help combat high cyber crime levels by naming (and shaming) companies with poor cyber security.
The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science to promote better research into cyber-security. The other research partner in this case, the Policy Institute at King’s College London, is an independent research institute focusing on using evidence and expertise to tackle societal challenges.
Cyber crime levels
The report highlights the fact that the government’s 2018 data breach survey showed 4 in 10 businesses experienced a cyber security breach or attack in 2017-18 and this should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.
Championing the ACD programme
The report also champions the government’s Active Cyber Defence (ACD) programme, which was developed by the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.
The report points to the relative success ACD has had in bringing about a fall in scam emails from fake government addresses and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information. Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes and, in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC to deploy ACD as a tool to better tackle cyber-crime in the UK.
According to the National Cyber Security Centre (part of GCHQ), the ACD defense programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed the UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.
What does this mean for your business?
Reputations are vitally important to businesses, as cyber-security defences should be, and making sure strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to bring about improvements and contribute to the tackling of cyber-crime across the private as well as public sector.
The NCSC, for example, has been working with companies for some time with the ACD programme to help them protect their customers. For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections.
As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress and it is not a single entity amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being, perhaps, a way for the government to scan and collect data about private organisations. For this reason, the CSRG and King’s College London report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.
In reality, effective cyber security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far show that it, or tools based upon it, could have real value as part of a number of measures that could help reduce cyber crime for private as well as public sector organisations.