A new Monash University report highlights the growing problem of organisations resorting to 'cyberwashing' to mislead the public about their data privacy practices and recommends measures to build a genuine culture of cybersecurity.
'Cyberwashing' occurs when organisations exaggerate or misrepresent their cybersecurity credentials to appear more secure than they actually are.
This includes using vague language like "state-of-the-art security" without giving details, engaging in practices that contradict their privacy policies, lacking independent verification of their cybersecurity, over-emphasising the skills of their cybersecurity staff, and failing to openly discuss the causes and impacts of data breaches they have suffered.
Lead author of the report, cybersecurity expert Professor Nigel Phair from Monash University's Faculty of Information Technology, said cyberwashing creates a false sense of security and can have serious consequences for consumers and businesses alike.
The report, published in the Journal of Risk Management in Financial Institutions, outlines steps that organisations can take to ensure genuine attempts at robust cybersecurity are made, including backing up security claims with regular independent audits and transparent compliance with industry standards, training staff to understand cybersecurity complexities, and providing customers with accurate information about their cybersecurity practices.
"Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Latitude Financial Services. In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place," Professor Phair said.
"This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach."
The report also stresses the need for effective risk management and the importance of robust enforcement by regulators to deter cyberwashing.
"Companies should be improving their risk management policies and subsequent control implementation. Cyber insurance policies should require organisations to meet certain security standards and report accurate information about their cybersecurity practices," Professor Phair said.
"These efforts should be coupled with a properly functioning legislative enforcement framework that dissuades organisations from cyberwashing, like penalties under Australia's Security of Critical Infrastructure Act 2018.
"A genuine commitment to cybersecurity, rather than misleading claims, is essential for protecting sensitive data and maintaining trust in the digital age."
Future research needs to include if company directors are asking questions in the boardroom surrounding cybersecurity messaging and any accompanying action.
