Should we ‘name and shame’ cybersecurity shirkers?

A recent UK report recommends the government reveal the identity of companies that fail to protect consumer data.
30 January 2019

Hotel chain Marriott was subject to a high-profile data breach this month. Source: Shutterstock

As companies the world over grapple with a host of cybersecurity threats and an ever-evolving digital landscape, it is getting progressively harder to stay one step ahead of the latest attacks.

According to a recent report by the King’s College London Cyber Security Research Group, the National Cyber Security Centre (NCSC) recommends that it’s time to “call out the companies who consistently fail to take fraud and security seriously.”

The report states that one of the biggest problems is incentivizing organizations across the critical national infrastructure (CNI), which includes small and medium-sized businesses, to adopt better cybersecurity practices.

“Organizations that adopt better cybersecurity will survive and thrive; those that do not will fail or, at the least, risk their competitive advantage,” it states.

This ‘Cyber-Darwinism’ take on the issue is what the NCSC aims to highlight by its emphasis on Active Cyber Defence (ADC). In the last two years, over four in 10 businesses and one-fifth of charities were subject to a cybersecurity breach or attack.

Official figures suggest that a UK resident is more likely to be a victim of cybercrime or fraud than any other offense.

One estimate suggests that £4.6 billion (US$6 billion) was stolen from 17 million UK internet users in 2017 alone.

In its first annual report on ACD, published in February 2018, NCSC reported that ‘people in the UK are objectively safer in cyberspace because of the ACD programme.

For example, its ‘Takedown Service’, run in partnerships with cybersecurity firm NetCraft, has more than halved the UK’s share of global phishing attacks to 2.4 percent. Nearly 140,000 UK-hosted phishing sites have been removed following takedown requests— as well as more than 14,000 impersonating the UK government.

Meanwhile, its ‘Protective DNS’ blocked an average of nearly 11,000 malicious domains every month, making these unavailable to government web users, while ‘Web Check’ identified over 2,300 urgent issues across the government’s digital estate, allowing them to be fixed.

A final facet of ACD is ‘Protocol Monitoring’, developed with British Telecom (BT) to share threat intelligence with other ISPs (Internet Service Providers).

Where responsibility lies

The ultimate message of the report is that private-sector entities have a responsibility to actively reduce the risks to consumers from the information that the companies hold, handle or propagate on others’ behalf.

It will demand a more comprehensive public-private partnership for cybersecurity today than ever before, but many ACD provisions are relatively cheap to implement but can lead to significant and tangible gains in cybersecurity.