With more than four in 10 businesses experiencing a cyber security breach or attack in 2017-18, greater publicly available information on the steps firms are taking to keep users safe online could help lead to improvements in security, according to a new report.from the the Cyber Security Research Group and the Policy Institute at King’s College London.

It argues companies should be incentivised to improve their defences and help combat cyber crime, such as online fraud and identity theft.

The researchers recommend that businesses, charities and other organisations adopt measures included in the government’s Active Cyber Defence (ACD) programme, which has until recently only covered public sector organisations, but is now being rolled out further.

The technology at the heart of the programme has led to a significant fall in scam emails from fake government addresses and the removal of thousands of “phishing” sites which pose as government agencies to steal users’ personal information.

Dr Tim Stevens, Convenor of the Cyber Security Research Group at King’s College London, said:

“The Active Cyber Defence programme has been a huge success in protecting government agencies – and those who use them – from cyber threats. Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online. Greater transparency around the level of cyber security employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.”

The report concludes that there are no significant technical obstacles to extending ACD tools and techniques beyond the public sector, and says that some firms and trade bodies are already developing systems that use this and similar technology.

But it urges non-public sector organisations to engage more actively with government’s National Cyber Security Centre (NCSC) to deploy ACD and better counter cyber crime in the UK.

The researchers recognise the potential for privacy concerns around the use of government-developed technology outside the public sector, particularly around the ACD “Web Check” tool, which identifies basic vulnerabilities in website design. To prevent this being seen as the government “scanning” and collecting data on private organisations’ websites, they recommend creating a buffer between the intelligence community and third parties by assigning responsibility for such tools to regulatory authorities in each sector, such as the Charity Commission in the third sector.

Other findings from the research include:

• ACD should be considered a “public good” that delivers cyber security benefits to the population as a whole without members of the public needing to “opt in” for protection online.
  
  
• ACD can extend the UK’s cyber security influence abroad, providing a model of best practice and helping to shape global cyber security norms.

• ACD shows great promise in tackling UK cyber crime and should be expanded and given time to mature – although it is not a “silver bullet”.