A report published by Australia-based Monash University has exposed the growing prevalence of ‘cyberwashing,’ a practice where organisations exaggerate their cybersecurity capabilities to create a misleading perception of robust data protection. The study, led by Professor Nigel Phair from the university’s Faculty of Information Technology, warns that many companies present their cybersecurity efforts in a way that does not reflect actual risk management, potentially leaving consumers and businesses vulnerable to data breaches.
Published in the Journal of Risk Management in Financial Institutions, the report defines cyberwashing as the use of vague and misleading language to assure customers and regulators of strong cybersecurity defences while failing to implement necessary protections. This can include overstating security credentials, omitting details about past breaches, and claiming compliance with industry standards without independent verification. Some organisations also highlight the qualifications of their cybersecurity teams while neglecting to enforce effective security measures.
False security claims can have serious consequences
Professor Phair explained that such deceptive practices create a false sense of security and can have significant legal and financial consequences. He emphasised that transparency and independent oversight are critical in ensuring that cybersecurity commitments are genuine rather than mere marketing rhetoric.
“Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank and Latitude Financial Services,” said Professor Phair. “In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place. This kind of cyberwashing erodes trust in organisations and, as we have seen, can result in severe financial, reputational and legal consequences, especially in the event of a data breach.”
The report details how cyberwashing not only misleads stakeholders but also weakens overall cybersecurity resilience. It highlights that many organisations fail to disclose the root causes of cyber incidents, making it difficult for regulators and consumers to assess the true risks. Some companies, the report notes, attempt to deflect responsibility by framing breaches as sophisticated cyberattacks rather than acknowledging internal security gaps.
The report calls for stronger enforcement by regulators to combat cyberwashing and urges organisations to adopt clear risk management frameworks. Recommendations include regular independent security audits, transparent disclosures on cybersecurity measures, and comprehensive staff training to improve internal awareness. The study also suggests that corporate boards should take a more active role in scrutinising cybersecurity claims to ensure they align with actual practices.
Additionally, the report highlights that misleading cybersecurity claims could lead to legal ramifications, including regulatory fines and shareholder lawsuits. Cases involving Optus and Medibank illustrate how companies that fail to uphold their stated cybersecurity policies may face lawsuits from affected customers and investors. The study suggests that enforcing stricter compliance measures and ensuring independent verification of security claims could help mitigate cyberwashing practices.
As regulatory scrutiny intensifies and legal actions against companies over data breaches continue to rise, the report highlights the need for businesses to move beyond superficial cybersecurity claims and invest in genuine protective measures.
Read more: 58% of UK financial firms targeted in supply chain cyberattacks, survey reveals
