Warnings sounded over ‘cyberwashing’ practices by Australian businesses

  • Patrick Buncsi
  • 13 March 2025
Cyberwashing

A leading cybersecurity researcher has signalled for Australian companies that engage in misleading claims regarding their own cybersecurity capabilities – a practice referred to as ‘cyberwashing’ – to face stiffer criminal penalties under a reinforced legal framework, with the practice seen to undermine industry’s ability to curtail cyberattacks.

Monash University IT researcher Professor Nigel Phair, lead author of a recently published paper [pdf] on cyberwashing practices by Australian corporations, warns the practice is eroding trust in industry and potentially preventing working solutions from being effectively implemented.

By presenting a false picture of one’s cybersecurity capability or credentials, businesses risk “severe financial, reputational and legal consequences”, the paper said, as malicious cyber actors inevitably break through and expose the deceit.

Data breaches, Phair noted, have an “interrelationship with cyberwashing”, with resulting legal actions by consumers or regulators – when tested in court – often exposing the sizable gap between a business’s promised cyber capabilities and cyber controls in practice.

Examples of ‘cyberwashing’ practices detailed in the report include:

  • inconsistencies between organisations’ privacy policies and actual practices, such as claiming to protect user data while collecting and exploiting excessive personal information;
  • a lack of third-party audits or independent verification of an organisation’s cybersecurity posture;
  • an overemphasis on the skills and certifications held by their cyber security staff; or
  • a failure to openly discuss the cause and effect when they have suffered a data breach.

Phair also noted the common practice of businesses employing vague, often cliched language, such as ‘state-of-the-art security’ or ‘strong cyber defence’, to present a better picture of one’s cyber capabilities, often with the intention to “satisfy regulators, assure stakeholders and placate consumers”.

The report cited the high-profile cyber breaches of Australian corporates Optus, Medibank and Latitude Financial Services, noting that in each case these firms “faced significant criticism and legal action… despite claiming to have robust cybersecurity practices in place”.

On remediation and penalty costs alone associated with their cyber incidents, Latitude has spent more than $76 million in pre-tax costs and provisions, while Medibank has paid out up to $81 million after hackers made off with more 10 million customer records.

Addressing the promise gap

The disconnect between organisations’ stated cyber practices and their actual ability to resist a cyber-attack requires urgent redress, Phair said.

The report makes several recommendations to Australian businesses to address this gap, including:

  • an assurance that cybersecurity claims made by organisations are backed by clear, verifiable evidence, such as third-party audits, certifications and compliance with industry standards such as ISO 27001 or NIST CSF;
  • the need for regular independent security assessments or audits from trusted cybersecurity companies to validate an organisation’s security posture;
  • not overstating security capabilities, as well as providing customers with accurate, understandable insights into cybersecurity practices and potential risks;
  • training teams to understand cyber security complexities to avoid superficial claims and encourage responsible communication of cyber-related capabilities; and
  • adhering to evolving cyber security regulations and disclosing compliance in a transparent manner, reducing the temptation for misleading claims.

The report also stresses the need for effective risk management and the importance of robust enforcement by regulators to deter cyberwashing.

“Companies should be improving their risk management policies and subsequent control implementation,” Phair said.

This would also include obligations from cyber insurance policies for organisations to meet certain security standards and report accurate information about their cybersecurity practice, he added.

The paper also stressed the need for a properly functioning legislative enforcement framework to further dissuade organisations from cyberwashing practices, noting existing penalties under Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act).

SOCI Act breaches include fines ranging from 200 penalty units (currently AU$62,600) for each breach of failing to adopt, maintain and comply with a risk management plan to 50 penalty units (currently AU$15,650) for failing to notify the regulator when a cyber incident has occurred.

He also stressed the need for further research to determine whether board directors are effectively monitoring potential cyberwashing practices within the businesses they oversee – that is, more broadly, inquiring about the cybersecurity messaging and accompanying actions undertaken by the business.

Phair concludes: “A genuine commitment to cybersecurity, rather than misleading claims, is essential for protecting sensitive data and maintaining trust in the digital age.”

 

Share This Post
Related News
Scam website
NAB snuffs out 600 copycat websites
B2B payments
Visa launches B2B payments service with major Aussie banks
Anti-money laundering
NZ Police reveal biggest money laundering vulnerabilities for banks
CBA
CBA extends Anthropic partnership
Takeover bid
Smartpay confirms Tyro takeover offer