DAMIEN MEYER/AFP/Getty Images
show image

Government should name and shame companies with poor cyber security, say experts

Academics at King’s College London have called on the government to name and shame companies with poor cyber security.

In a new report published today (22 January), researchers at the university’s cyber security research group argue that consumers deserve greater insight into how firms are protecting their data.

A move to increase transparency around businesses’ cyber defences would force poorly performing companies to improve their protections, leading to a reduction in crime, say the authors.

The intervention comes as the National Cyber Security Centre rolls out out its Active Cyber Defence programme, which has removed thousands of phishing sites, beyond the public sector to all organisations.

“Naming and shaming is an option of last resort, but should not be taken off the table,” said Tim Stevens, convenor of the Cyber Security Research Group at King’s. “ACD’s ambition is to incentivise firms to improve cybersecurity by demonstrating its inherent value to them and their customers.”

“A relatively minimal investment in ACD may raise the bar of cybersecurity across the private sector, but some firms will inevitably be left behind,” he added. “For those unable to invest, guidance and advice will be available from NCSC and others. Those unwilling to invest may find that people move their custom elsewhere. Those that harbour cybercriminality may find themselves identified publicly, as presently happens anyway.”

The academics acknowledge that a move to sign up private sector organisations to government technology such as ACD, which scans sites for vulnerabilities, may raise privacy concerns, but says they could be allayed if regulators were responsible for managing the rollout.