UK told to ‘name and shame’ firms with poor cyber security

Academics at King’s College London have called on the UK Government to name and shame companies with poor cyber security.

In a report, researchers at the university’s cyber security research group argue that consumers deserve greater insight into how firms are protecting their data.

A move to increase transparency around businesses’ cyber defences would force poorly performing companies to improve their protections, leading to a reduction in crime, say the authors.

Their report comes as the National Cyber Security Centre rolls out out its Active Cyber Defence programme, which has removed thousands of phishing sites, beyond the public sector to all organisations.

“Naming and shaming is an option of last resort, but should not be taken off the table,” said Tim Stevens, convenor of the research group at King’s. “ACD’s ambition is to incentivise firms to improve cybersecurity by demonstrating its inherent value to them and their customers.”

“A relatively minimal investment in ACD may raise the bar of cybersecurity across the private sector, but some firms will inevitably be left behind,” he added.

“For those unable to invest, guidance and advice will be available from NCSC and others. Those unwilling to invest may find that people move their custom elsewhere. Those that harbour cyber criminality may find themselves identified publicly, as presently happens anyway.”