The Australian government’s ambition to “become the most cyber-secure country by 2030” is doomed to failure unless customers demand “security certifications” from companies, according to a leading data security expert.

Lisa Byrne, of data strategy firm Notitia, said customers will be the catalyst for companies to “wake up” to their responsibility to provide effective data security.

“It is the responsibility of every business, small or large, to ensure their customer data is protected, but not enough companies are aware of this fact,” she said.

Byrne’s call comes on the same day ASX-listed consumer finance firm Latitude Financial revealed a major cyberattack that affected more than 300,000 customers and saw the driver’s license data of about 103,000 people stolen. The latest hack follows last year’s Optus and Medibank data theft incidents that involved millions of customers, amid a 26% increase in the second half of 2022 compared to the first six months.

While the federal government’s 2023 – 2030 Australian Cybersecurity Strategy is currently under development, Byrne argues that the focus on business and industry needs to be reversed.

“Deterrent measures from policy enforcement will only get us so far. Customers must also be empowered to hold companies accountable,” she said.

“If Australian consumers expect businesses and institutions to prove their security before data is handed over, the strength of consumer spending will drive the importance all businesses place on adequate data security.

“This can only happen if we as consumers are urged to look for that ‘sign of approval’, just as we would only buy a child car seat from a manufacturer that meets safety standards.”

Byrne, a 30-year veteran of business intelligence, data governance and cybersecurity, believes the government should launch a consumer education campaign so people know where to spend their money and who to give their private information to.

“As customers, we all need to be included in the conversation, educated and informed about what to expect from each company and institution we deal with,” she said.

“The first step is to educate the public about the business requirements to protect their data and to be aware of the risks associated with handing their data over to a company that does not have an adequate data security plan in place.

“Second, there needs to be a way for companies to easily market their compliance and audit customers with confidence — this could look like a public data security compliance registry, along with certified compliance logos on website footers or forms.”

Byrne believes that businesses want to implement adequate data security measures, but this requires awareness and context.

“When the Optus and Medibank data breaches hit last year, Notitia saw an increase in interest in data security and governance from many of our customers who took the events as a wake-up call and wanted to do the right thing. ” she said.

“It is one thing for government to be the policy messenger and gatekeeper, but if executives understand the actions expected of them, through the lens of their own risk of crisis and subsequent interaction with their stakeholders – that is when action to create a secure data environment happens.”