Organisations may be misleading stakeholders about their cyber security capabilities through a practice known as 'cyberwashing', security expert professor Nigel Phair of Monash University warns.
Phair, who lectures in IT at the university and is a director of the CREST cybersecurity industry body, was the lead author of a report on the issue in the recently released Journal of Risk Management in Financial Institutions quarterly.
The term cyberwashing describes when companies use vague language, inconsistent privacy policies or unverified claims to appear more secure than they actually are.
Common cyberwashing tactics include using broad terms like 'state-of-the-art security' without specifics, collecting excessive personal data while claiming to protect privacy and failing to subject security measures to independent verification.
“Over the past few years,we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Latitude Financial Services," Phair said.
"In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place."
In September 2022, Optus suffered a cyberattack affecting approximately 10 million customers, later facing both regulatory investigation and a class action lawsuit despite previous claims about strong security systems.
Medibank's October 2022 breach also compromised nearly 10 million customers' personal and health information when attackers exploited a misconfigured firewall.
An internal presentation later revealed that security controls developed in 2020 had never been implemented.
Latitude Financial Services experienced a significant breach in March 2023 affecting around 14 million customers, resulting in $76 million in pre-tax costs and triggering a joint investigation by Australian and New Zealand privacy authorities.
“This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach," Phair said.
Breaching the Australian Consumer Law with greenwashing can result in fines for organisations of up to $50m, or three times the value of the benefit obtained from the incident.
Alternatively, organisations can be penalised with 30 per cent of the company’s adjusted turnover during the breach period if the benefit cannot be calculated.
Meanwhile, individuals can be fined up to $2.5m per breach.
To combat cyberwashing, security experts recommend backing up security claims with verifiable evidence such as third-party audits, avoiding overstated capabilities, training teams to communicate accurately about security measures, and adhering transparently to evolving regulations.
Risk managers are advised to scrutinise vague security claims, verify cyber maturity assessments, and educate leadership about the importance of accurate representation of security programmes.
The report also stresses the need for effective risk management and the importance of robust enforcement by regulators to deter cyberwashing.
“These efforts should be coupled with a properly functioning legislative enforcement framework that dissuades organisations from cyberwashing, like penalties under Australia’s Security of Critical Infrastructure Act 2018," Phair said.
“A genuine commitment to cybersecurity, rather than misleading claims, is essential for protecting sensitive data and maintaining trust in the digital age."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
