The UK Government should consider using 'kitemarks' awarded to defence industry companies that meet high cybersecurity standards as a part of its procurement process, shadow defence secretary Jim Murphy has said.
Speaking to The Guardian this week, Murphy said an insistence of the highest possible security standards was now essential to head off the threat that smaller firms in the supply chain were being targeted by cybercriminals as a weak link.
"Kitemarks for those with high standards of cyber security must become a reality across the private sector," Murphy told the newspaper.
"The defence industry is one of the most at risk sectors and so the Ministry of Defence could work with business to set a series of benchmarks for firms' cyber security performance which would be taken into account when making procurement decisions."
Cybersecurity experts working for GCHQ and the Ministry of Defence should also be paid more to stop a drain of talent to high-paying private sector firms, he added.
Murphy’s ideas were given a positive reception by Rob Cotton, CEO of security assurance and escrow firm NCC Group.
"He's also absolutely right in calling for the introduction of a cyber-security standard for businesses. We need a concerted effort from the policy makers to push these regulations through, otherwise both the private and public sectors will continue to leave themselves wide open,” said Cotton.
The NCC Group had set up the Cyber Insurance Working Group to address the same issue, he said.
Murphy also called for a more aggressive campaign of public education on the risks of the online world, likening it to past efforts to persuade the population to take the issue of drink driving seriously.
"For drink-driving, cultural change combined with government action turned what was once a social norm into an unacceptable behaviour in the eyes of the public and in law,” Murphy said.
“We have to ask ourselves what the right combination of education and regulation is because we must develop a cultural intolerance towards aggressive or criminal Internet use."
According to the NCC group's Cotton, a cultural change in the way people approach their own online security would sow similar benefits in the workplace.
“Human error is always the weakest link in a security set up, so teaching from the bottom up will ensure tighter perimeters in the long run. Educating the public on cyber risks is the ideal platform from which to improve business security. One will naturally follow the other,” Cotton believed.
A sceptic might point that that the much of the online world's security problems over the last decade have their origins in technological complacency rather than with the users themselves. With the monoculture of Windows still a dominating theme, many of these issues have only been partially addressed.
A problem with kitemarks could be the basis on which they are awarded and by whom – in modern cybersecurity what counts as well secured? As Murphy himself hinted to The Guardian, the ultimate defence against cyberattacks is the security awareness of the workforce. That isn’t easy to assess in a formal way and might only improve slowly over time.
More openness and shared warnings on cyberattack trends is another option. In April, universities and science minister David Willets called for larger firms to offer more public information on such attacks to allow for a collective approach to addressing weaknesses and developing defensive strategies.