Make companies pay full cost of breaches to restore trust in the internet, says ISOC

Think of the users, says the campaigner for a safe and secure internet

Fake news, online banking thefts and data breaches: It's no wonder that trust in the internet is at an all-time low. But don't worry: The Internet Society has a five-step plan for restoring faith in the network of networks.

The first step is to put users first, according to ISOC, which published its 2016 Global Internet Report on Thursday. That involves being more transparent (step two) about risk and the incidence of data breaches and prioritizing data security (step three) to ensure breaches don't happen.

ISOC isn't just a talking shop, it is also the organizational home of the Internet Engineering Task Force (IETF), source of many of the protocols and standards on which the internet relies. That adds weight to the more detailed recommendations on how to prioritize security contained in the ISOC report.

Step four, according to Michael Kende, the economist and ISOC Fellow who authored the report, is to make businesses accountable for data breaches. Some businesses evaluate what a breach would cost them (an average of US$4 million, according to ISOC), and invest accordingly in prevention, but part of the problem is that they don't take into account externalities such as the costs affected users will have to bear, Kende said.

It's easy enough to tot up the cost of replacing credit cards and other documents when someone's identity is stolen using data released in a breach, but some of those costs just can't be calculated today.

"No-one has looked at the risk of identity theft in the three to five years after being breached," Kende said. "When you have your identity stolen, you might never be able to trace the cause, particularly in a country that has no disclosure rules."

The fifth step ISOC proposes in the report is for businesses to send clearer signals about the level of security of their websites and the services they provide. Kende envisages that websites could do this by displaying badges identifying the certification processes to which they have submitted. Certified sites would win more business, while uncertified ones would lose out, encouraging businesses to bear the additional cost of certification.

That, though, creates a new problem: How to create confidence in certification. Infidelity website Ashley Madison displayed a fake "trusted security award" on its website before suffering a massive data breach.

Restoring trust in the internet, then, is likely to be a long process.

"If it was a simple thing it would probably be done by now," Kende concluded.

Show Comments