As more organisations position cybersecurity as a competitive edge, leaders must ensure their claims are evidence-backed — or risk legal and reputational fallout.
As the number of cyber-attacks against Australian businesses continues to rise, there is a growing realisation that being viewed as cyber-secure is a competitive business advantage. This can lead to exaggerated, or even false, claims of what cyber security controls businesses have in place.
Nigel Phair, a professor at Monash University’s Faculty of Information Technology, says cyber washing is the “practice of organisations misleadingly promoting their cyber security measures or data privacy practices to appear more secure or responsible than they actually are.” Businesses should be very wary of exaggerating their cyber security claims in tender or proposal documents to clients, in advertising and marketing to customers and to regulators and other authorities.
Here are four ways businesses can protect their reputation and avoid claims of cyber washing.
1. Provide evidence
As the cyber security industry has become more mature several standards for assessing an organisation’s security posture have been established. The Australian Signals Directorate, through the Australian Cyber Security Centre (ACSC), has its Essential Eight which businesses can follow. For each item in the Essential Eight there are four maturity levels businesses can be audited against. There are also globally recognised standards such as ISO 270001 and NIST businesses can apply.
Adherence and compliance with industry specific standards such as PCI DSS for the payment card industry and legislation such as the Security of Critical Infrastructure Act 2018 (SOCI) for the owners and operators of critical infrastructure can give customers assurance that your security efforts are validated and not just hollow words.
Regardless of which standard or standards your business selects, obtaining independent validation of compliance helps avoid cyber washing and ensures that your security claims are substantiated.
“Cybersecurity is not a marketing tagline — it’s a measurable commitment. Transparency builds trust, and trust drives growth.”
— Bryan Saba, CEO, Excite Cyber
2. Continuously assess compliance
While audits are important for establishing compliance with security standards, rules and regulations, they are only a point in time assessment. A business can be compliant at the time of an audit only for a new flaw to emerge or for a new vulnerability to be identified. It is critical that businesses undertake ongoing assessment of their cyber security posture.
A growing trend is the establishment of continuous red teaming. A red team is a group of ethical hackers that emulate the actions of malicious actors. Red teaming is carried out periodically to test the security of systems. But businesses can engage red teams to continuously probe their systems and alert them to vulnerabilities so they can remediate them before a breach occurs. The rise of AI enables businesses to intelligently automate this in some cases.
3. Stick to the facts
With the ACSC’s most recent annual report finding that a new cyber-attack is reported every seven minutes in Australia, it’s inevitable that cybercriminals will succeed in breaching defences to steal data and threaten businesses to pay ransoms. Many successful attacks occur when criminals either log in using stolen credentials or through gaps in security systems.
Overstating your security capabilities can be a brand pitfall and cause for reputational damage. Telling customers and partners what you are doing to counter cyber risks is important. But embellishing or overstating what is in your control can lead to a false sense of security and leaves you open to criticism and legal repercussions should an attacker penetrate your defences.
4. Use careful language
Cyber security is complex. Regular security awareness training can help to debunk misconceptions and ensure everyone in your business understands what you are protecting, how it’s being protected and what steps you are taking to bolster security. This will help ensure people don’t make superficial claims about your cyber security activities.
One of the most overused claims following a cyber security attack is that the attackers used “sophisticated methods”. And this is usually followed by claims that the victim was “using strong cyber defences”. Language like this can lead to issues later when the actual cause of the breach is revealed. In reality, very few attacks use sophisticated methods and businesses were found to not have had the strongest cyber defences.
Embellishing or overstating claims, leaves businesses open to increased risk of litigation and prosecution. Making unsubstantiated and vague claims about cyber security defences may mislead customers, shareholders and other stakeholders, and exacerbate the impact of a cyber-attack.
5. Be open about recovery plans
Businesses must be prepared to respond effectively if an incident occurs. Developing a well-defined incident response plan, regularly testing it through simulations, and ensuring that staff are trained to act swiftly can significantly reduce the impact of security breaches. By openly stating you have a robust incident response plan that is regularly tested you can give your customers and partners confidence that you are ready to respond swiftly should an attacker succeed. And, where appropriate, sharing elements of the plan and your testing will further boost your credibility and confidence that you have your cybersecurity house in good order.
About the author
Bryan Saba is the CEO of Excite Cyber an Australian-owned, ASX-listed cyber security company (ASX:EXT) uniquely positioned in the market with integrated data recovery capabilities.