Academic report argues businesses with poor cyber security should be publicly named and shamed
The cost of doing business in today’s GDPR world has been highlighted after a report suggested that businesses should be publicly named and shamed by the government for poor cybersecurity.
The report believes that publicly shaming a firm with poor cyber defences will incentivise them to improve their defences and help combat cyber crime.
Many security experts have warned previously that outdated cyber defences are putting organisations at risk from constantly changing online threats.
The report however points out that private firms should should implement Active Cyber Defence (ACD) programme, which has been a key aspect of the work of the National Cyber Security Centre (NCSC) for a couple of years now.
Until now, it has been mostly public sector organisations that have followed the ACD scheme.
The report, written by experts at the Cyber Security Research Group and the Policy Institute at King’s College London, believes that private businesses applying ACD would have “significant potential in helping improve UK national cybersecurity.”
It laments the fact that the NCSC has “no legal power to mandate ACD in any circumstance.”
The report’s authors suggested that the National Cyber Security Centre expand its focus to include private businesses as well as public sector organisations.
Name and Shame
“We recommend that ACD be conceptualised provisionally as a public good to be delivered by both public and private partners,” the report stated.
“This may not be an easy pill to swallow for some private entities but, if NCSC is correct that ACD can help deliver a safer and more secure UK cyberspace, this will benefit companies as well as individual users,” it added.
“The UK case study suggests that a relatively minimal investment in ACD might help raise the bar of cybersecurity across the board – although some firms and organizations will inevitably be left behind,” Dr Tim Stevens, one of the report’s authors, was quoted by Forbes as stating.
“Those unwilling to invest may find their customers moving to more cyber-secure competitors,” he said. “Those that knowingly harbour cyber-criminality or fail to promote safe cybersecurity practices may find themselves identified publicly.”
The call that private firms should be held accountable will be sure to trigger a debate within business communities.
Many will feel that publicly identifying a private company with shoddy cybersecurity should only be a last resort.
Others will no doubt argue that it is the only way to force them to bolster their cyber defences in these dangerous times.
Do you know all about security? Try our quiz!