Monash University has released a report addressing the growing issue of ‘cyberwashing’, a practice where organisations mislead the public about their data privacy practices.

The report, authored by Professor Nigel Phair from Monash University’s Faculty of Information Technology, highlights the tactics used in cyberwashing, such as exaggerating or misrepresenting cybersecurity credentials, employing vague language, and lacking independent verification of cybersecurity measures.

The report, published in the Journal of Risk Management in Financial Institutions, recommends several measures to ensure genuine cybersecurity efforts. These include regular independent audits, transparent compliance with industry standards, and providing accurate information to customers.

“Cyberwashing creates a false sense of security and can have serious consequences for consumers and businesses alike,” said Professor Phair.

Recent high-profile data breaches in Australia are cited in the report, including those affecting Optus, Medibank, and Latitude Financial Services. “Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Latitude Financial Services. In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place,” Phair stated.

The report stresses the need for effective risk management and robust enforcement by regulators to deter cyberwashing. “This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach,” Phair noted.

One of the recommendations includes that cyber insurance policies should require organisations to meet certain security standards and report accurate cybersecurity information. “Companies should be improving their risk management policies and subsequent control implementation. Cyber insurance policies should require organisations to meet certain security standards and report accurate information about their cybersecurity practices,” Phair said.

The report also calls for a legislative enforcement framework to dissuade organisations from engaging in cyberwashing, citing penalties under Australia’s Security of Critical Infrastructure Act 2018 as a potential deterrent. “These efforts should be coupled with a properly functioning legislative enforcement framework that dissuades organisations from cyberwashing, like penalties under Australia’s Security of Critical Infrastructure Act 2018,” Phair stated.

Furthermore, the report suggests that future research should explore whether company directors are addressing cybersecurity messaging and actions in boardrooms. “A genuine commitment to cybersecurity, rather than misleading claims, is essential for protecting sensitive data and maintaining trust in the digital age,” Phair concluded.