\Fintech Opinion/ “Shaming could end up punishing bootstrapped startups” Renowned cybersecurity expert Cal Leeming says we should be careful of publically shaming companies with substandard cybersecurity. \Startup Life Cybersecurity software startups: Apply for Kaspersky’s Open Innovation Programme By Claire Merten 8 September 2020 \Fintech Opinion/ “Shaming could end up punishing bootstrapped startups” Renowned cybersecurity expert Cal Leeming says we should be careful of publically shaming companies with substandard cybersecurity. By Cal Leeming Tuesday 19 March 2019 By Cal Leeming Tuesday 19 March 2019 Private companies should be incentivised to improve their cyber defences by “publicly shaming” those that do not comply with accepted norms. This, at least, is the argument of policy experts at the Cyber Security Research Group at King’s College London, who say it will help combat cybercrime. I am not so sure. There are merits to using ‘public shaming’ — to an extent. Standardisation across private companies has obvious benefits and makes it easier to mitigate cyber risk when everyone is on the same page. But the value of naming and shaming depends on what these standards are. Advertisement The proposed programme is the UK’s Active Cyber Defence (ACD), a solution created by the National Cyber Security Centre to combat cybersecurity vulnerabilities in the public sector. The solution includes six “relatively automated” services which are free for organisations to use, like a “takedown service” for malicious website content, and a tool which blocks access to known bad domains. The problem with the “name and shame” approach is that these tools simply aren’t compatible with some companies. For example, it’s a time-consuming task to report phishing websites, compromised sites and fake company websites to the takedown service. This might be suitable for say, a communications provider or data centre provider, but wouldn’t be feasible for a smaller company or startup. “Shaming could end up punishing bootstrapped startups rather than promoting better services for them to use.” It’s also unhelpful to assume that enterprises are solely to blame for substandard cybersecurity practices. Even combating primitive cyber attacks is a complex job, forcing many companies to outsource their security to third parties. These services mostly focus on detecting and responding to issues after they occur rather than preventing them. Even though public shaming could incentivise companies to be more proactive in using cybersecurity prevention tools, it’s not realistic to expect smaller companies to have total control over the tools they use. Shaming could end up punishing bootstrapped startups rather than promoting better services for them to use. Over-exposure Even if the cybersecurity standards were more appropriate for smaller enterprises, would “naming and shaming” companies actually have an impact? It only works if companies believe that public exposure will affect customer confidence and cause profit and reputation loss. It’s not clear that this risk is real and persists over time. Already there’s too much hyperbole, social hype and fear in public discourse on cybersecurity. We must be careful not to further desensitise cyber issues through over-exposure in the social and media circles. Otherwise, if we cry wolf too many times, the impact is lost even when public shaming does highlight significant issues at an important company. “History tells us that forcing companies’ arms usually garners resentment” ACD preaches the mantra to “protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time.” A lofty goal indeed, intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks. The UK’s NCSC would also like to see this program implemented abroad, providing a model of best practice to help shape cyber security norms – a global standardisation for universal benefit. Again, a lofty goal. These goals won’t be achieved by leaking of details to the press of which companies are not taking steps to keep users safe online. In reality, no one really wants to have to do this; the hope is that organisations will want to pursue better cyber security for their own sake, with or without the threat of punishment or shaming. Most companies will strengthen their cyber security to the level needed to protect their business and their stakeholders, simply to survive and thrive in today’s business environment. History tells us that forcing companies’ arms usually garners resentment and a mindset that is counter to the cooperative relationships needed to really improve cybersecurity. Compliance with a standardised programme only encourages conformity, not real change. “A public good for the private sector” Excerpt from The Cyber Security Research Group’s proposal: NCSC has hinted at the influence of ‘cyber-Darwinism’ at work. Organisations that adopt better cybersecurity will survive and thrive; those that do not will fail or, at the least, risk their competitive advantage. If consumers cannot trust a company, they will withdraw their support and a company’s bottom line will suffer. The appropriate lever here is public perception of a company’s commitment to securing its consumers’ data and activities, backed up with publicly available information that demonstrates what a particular company is or is not doing when it comes to ACD. The hope with ACD is that it can help identify which companies are adhering to good practices and which are not. The ‘carrot’ is the recognition of one’s commitment to cybersecurity; the ‘stick’ is the risk of going out of business. Cal Leeming is a renowned cybersecurity expert and co-founder of many successful startups including his bespoke security solutions company, River Oakfield. Advertisement Help Sifted get bigger and better (and get a sneak peak at our future plans). Please take our reader survey. Take the survey Terms of Use Related Articles Only 21% of tech unicorns are led by women, report shows By Freya Pratty Click here to read more Black entrepreneurs receive just 0.24% of capital in the UK By Freya Pratty Click here to read more Systemic barriers for minority business owners persist, report shows By Freya Pratty Click here to read more Time to stop using the term BAME By Erika Brodnock and Johannes Lenhard Click here to read more Get the best of Sifted in your inbox By entering your email you agree to Sifted’s Terms of Use Sign up to \Future Proof Sifted’s weekly \Corporate Innovation roundup email By entering your email you agree to Sifted’s Terms of Use Most Read 1 \Fintech Starling Bank wants to buy a lender 2 \Startup Life Chief of staff: the ‘must-have hire’ for startup CEOs? 3 \Fintech The 10 fastest fintechs to reach billion dollar valuations 4 \Venture Capital Rich Europeans need to invest 10% of their money into tech and stop buying stupid stuff like hotels 5 \Public and Academic European Commission makes its first equity investments into startups
Systemic barriers for minority business owners persist, report shows By Freya Pratty Click here to read more