March 19, 2019

"Shaming could end up punishing bootstrapped startups"

Renowned cybersecurity expert Cal Leeming says we should be careful of publically shaming companies with substandard cybersecurity.

Cal Leeming

4 min read

Private companies should be incentivised to improve their cyber defences by “publicly shaming” those that do not comply with accepted norms. This, at least, is the argument of policy experts at the Cyber Security Research Group at King’s College London, who say it will help combat cybercrime.

I am not so sure. There are merits to using ‘public shaming’ — to an extent. Standardisation across private companies has obvious benefits and makes it easier to mitigate cyber risk when everyone is on the same page.

But the value of naming and shaming depends on what these standards are.

The proposed programme is the UK’s Active Cyber Defence (ACD), a solution created by the National Cyber Security Centre to combat cybersecurity vulnerabilities in the public sector. The solution includes six “relatively automated” services which are free for organisations to use, like a “takedown service” for malicious website content, and a tool which blocks access to known bad domains.


The problem with the “name and shame” approach is that these tools simply aren’t compatible with some companies. For example, it’s a time-consuming task to report phishing websites, compromised sites and fake company websites to the takedown service. This might be suitable for say, a communications provider or data centre provider, but wouldn’t be feasible for a smaller company or startup.

Shaming could end up punishing bootstrapped startups rather than promoting better services for them to use.

It’s also unhelpful to assume that enterprises are solely to blame for substandard cybersecurity practices. Even combating primitive cyber attacks is a complex job, forcing many companies to outsource their security to third parties. These services mostly focus on detecting and responding to issues after they occur rather than preventing them.

Even though public shaming could incentivise companies to be more proactive in using cybersecurity prevention tools, it’s not realistic to expect smaller companies to have total control over the tools they use. Shaming could end up punishing bootstrapped startups rather than promoting better services for them to use.


Even if the cybersecurity standards were more appropriate for smaller enterprises, would “naming and shaming” companies actually have an impact?

It only works if companies believe that public exposure will affect customer confidence and cause profit and reputation loss.

It’s not clear that this risk is real and persists over time. Already there’s too much hyperbole, social hype and fear in public discourse on cybersecurity. We must be careful not to further desensitise cyber issues through over-exposure in the social and media circles.

Otherwise, if we cry wolf too many times, the impact is lost even when public shaming does highlight significant issues at an important company.

History tells us that forcing companies’ arms usually garners resentment

ACD preaches the mantra to “protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time.” A lofty goal indeed, intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks. The UK’s NCSC would also like to see this program implemented abroad, providing a model of best practice to help shape cyber security norms - a global standardisation for universal benefit. Again, a lofty goal.

These goals won’t be achieved by leaking of details to the press of which companies are not taking steps to keep users safe online. In reality, no one really wants to have to do this; the hope is that organisations will want to pursue better cyber security for their own sake, with or without the threat of punishment or shaming.

Most companies will strengthen their cyber security to the level needed to protect their business and their stakeholders, simply to survive and thrive in today’s business environment. History tells us that forcing companies’ arms usually garners resentment and a mindset that is counter to the cooperative relationships needed to really improve cybersecurity.


Compliance with a standardised programme only encourages conformity, not real change.

“A public good for the private sector”

Excerpt from The Cyber Security Research Group’s proposal:
NCSC has hinted at the influence of ‘cyber-Darwinism’ at work. Organisations that adopt better cybersecurity will survive and thrive; those that do not will fail or, at the least, risk their competitive advantage.
If consumers cannot trust a company, they will withdraw their support and a company’s bottom line will suffer. The appropriate lever here is public perception of a company’s commitment to securing its consumers’ data and activities, backed up with publicly available information that demonstrates what a particular company is or is not doing when it comes to ACD.
The hope with ACD is that it can help identify which companies are adhering to good practices and which are not. The ‘carrot’ is the recognition of one’s commitment to cybersecurity; the ‘stick’ is the risk of going out of business.

Cal Leeming is a renowned cybersecurity expert and co-founder of many successful startups including his bespoke security solutions company, River Oakfield.