The gulf between consumer trust and businesses is growing as data breaches, poor and opaque data handling, and privacy violations make headlines. Businesses, despite best intentions, seem almost as puzzled by data protection and privacy concerns and solutions as consumers are, and indeed, often fail to see the big picture in terms of cybersecurity threats they face. This can lead to a worrying tendency: organizations “cyberwash” their cybersecurity and privacy approaches, leading not only to further erosion in consumer trust but to real financial and compliance consequences.
What is Cyberwashing?
A recent Monash University report explained the concept of “cyberwashing”, a practice that seems to be taking hold in organizations that want to appear as though their cybersecurity practices are in line with best practices. The report finds that there is a major gap between what organizations state and what their practices actually reveal.
But what exactly does cyberwashing entail? According to the report, cyberwashing is a practice that involves an organization misleading their public about their cybersecurity practices. The Monash University report exposes a range of typical cyberwashing tactics as including exaggerations or misrepresentations of cybersecurity credentials, using vague and non-specific language, and a failure to produce independent verification of claimed cybersecurity measures and safeguards. Cyberwashing can, by extension, be applied to data privacy practices as well.
Cyberwashing: High-profile risk and no reward
One of the most alarming problems with cyberwashing is the scope for damage. Because misrepresentation characteristic of cyberwashing is designed to lull consumers and the wider public into a false sense of security, businesses and consumers alike are vulnerable to data breaches.
Global news media is filled with stories of high-profile data breaches, affecting businesses in healthcare, e-commerce, financial services, and more. In many such cases, the companies suffering data breaches had claimed to have prioritized data protection and cybersecurity, only to be unmasked as some of the biggest cyberwashing offenders. Even in the aftermath of a data breach, companies that engage in cyberwashing often dig themselves a deeper hole by failing to acknowledge their own role in the breach, for example, blaming a cyberattack when the true culprit is poor security infrastructure or gaps in the implementation of its cybersecurity and privacy strategy. This lack of transparency makes it difficult to recover consumer trust, and moreover, regulatory trust. Regulators are likelier to turn the screws of scrutiny on organizations that have been proven to mislead the public about the source of its security troubles.
Cyberwashing can lead to consequences on several fronts – financial, reputational and legal, and as part of the overall security posture, can create weaker trust in what a company claims in the aftermath of a breach.
It’s easy to be compliant with CookieHub
Sign up today and create a custom cookie banner for your website
- 30 day free trial
- No credit card required
Half-baked cookie consent
While the Monash report focused on cybersecurity as an umbrella concept, we’ve previously discussed a number of consent-failure situations that could feasibly be part of the cyberwashing flood:
- the failure of companies to respect consumer requests to opt out of data collection or cookie consent (Consumer Reports)
- the superficial treatment of cookie banners, i.e., the banner is visible, and consumers can make choices, but the company doesn’t appear to respect those choices (The Electronic Communications Office of Iceland)
- many websites ignore users’ refusal of cookies and collect and use their data anyway (University of Amsterdam and ETH Zurich)
As part of mitigation strategies to avoid cyberwashing, consent and cookie management should be an integral part of the plan.
Bake-in risk management and enforcement
What do we do about cyberwashing, though? How can companies achieve compliance and robust cybersecurity and data privacy in a transparent way?
In the end, regulatory enforcement is a first line of defense. Organizations can bake in risk management strategies, including regular independent audits, transparent and honest cybersecurity disclosures, and better internal awareness for staff about cybersecurity and privacy to get ahead of regulatory checks.
Similarly, market forces can also play a role in holding businesses to account. For example, the Monash report claims that insurance companies can “act as a check” against cyberwashing claims. That is, companies could be denied insurance coverage if it were discovered that they misled the insurer during underwriting. Just the threat of this kind of denial could be enough of a negative incentive that businesses would be likelier to invest in more robust cybersecurity and privacy efforts and standards.
Because of the scope for catastrophic damage in the wake of a data breach or data privacy violations, it is in every company’s best interest to invest in regular internal evaluations and audits – both manual and automated – as well as tools that aid in staying compliant. Financial and legal penalties can be devastating, while gaining control over risk management and getting ahead of external enforcement measures will be less expensive and can underpin a cultural change based on trust and transparency.
Are you compliant?
CookieHub automatically scans your website to detect cookies, ensuring all cookies are easily managed.