Monash University’s new report exposes the rise of ‘cyberwashing’ by organisations and calls for stronger measures to foster genuine cybersecurity practices.
‘Cyberwashing’ occurs when organisations exaggerate or misrepresent their cybersecurity credentials to appear more secure than they actually are.
This includes using vague language like “state-of-the-art security” without giving details, engaging in practices that contradict their privacy policies, lacking independent verification of their cybersecurity, over-emphasising the skills of their cybersecurity staff, and failing to openly discuss the causes and impacts of data breaches they have suffered.
Lead author of the report, cybersecurity expert Professor Nigel Phair from Monash University’s Faculty of Information Technology, said cyberwashing creates a false sense of security and can have serious consequences for consumers and businesses alike. The report highlights how responsible public relations practices can help counter these misleading claims.
The report, published in the Journal of Risk Management in Financial Institutions, outlines steps that organisations can take to ensure genuine attempts at robust cybersecurity are made, including backing up security claims with regular independent audits and transparent compliance with industry standards, training staff to understand cybersecurity complexities, and providing customers with accurate information about their cybersecurity practices.
“Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Latitude Financial Services. In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place,” Professor Phair said.
“This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach.”
Read also: Regulatory report highlights tech failures in online child safety
The report also stresses the need for effective risk management and the importance of robust enforcement by regulators to deter cyberwashing.
“Companies should be improving their risk management policies and subsequent control implementation. Cyber insurance policies should require organisations to meet certain security standards and report accurate information about their cybersecurity practices,” Professor Phair said.
“These efforts should be coupled with a properly functioning legislative enforcement framework that dissuades organisations from cyberwashing, like penalties under Australia’s Security of Critical Infrastructure Act 2018.
“A genuine commitment to cybersecurity, rather than misleading claims, is essential for protecting sensitive data and maintaining trust in the digital age.”
Future research needs to include if company directors are asking questions in the boardroom surrounding cybersecurity messaging and any accompanying action.
Adrianne Saplagio is a Content Producer at Comms Room, where she combines her passion for storytelling with her expertise in multimedia content creation. With a keen eye for detail and a knack for engaging audiences, Adrianne has been instrumental in crafting compelling narratives that resonate across various digital platforms.
