While there is growing awareness around securing the digital platforms through which customer data is accessed, a concerningly large number of cybersecurity basics continue to be overlooked by the ASX 200 based on findings from Rapid7’s Industry Cyber-Exposure Report.

This indicates that, currently, consumer expectations around data privacy are not being met by a corresponding commitment to security within Australia’s most mature organisations.

The report found that most organisations in the ASX 200 are running old and often unsupported versions of the three most prolific web servers: Microsoft’s Internet Information Services, Apache HTTPD, and ngnix.

While 14-year-old web servers are likely to expose a business to extreme risks, they may be kept around because the organisation is running an application that only works with that web server version. To make up for this security risk, the organisation has put other mitigating controls in place.

At the same time, however, 67 per cent of the same group have weak or non-existent anti-phishing defences in the public email configuration of their primary email domains.

Under the new CDR legislation, all organisations are required to take information security risk management seriously. The rules of the framework echo what is outlined in the Corporations Act around having good security management practices in place.

If you think about it carefully, however, the CDR is paradoxically asking organisations to share externally under certain circumstances data about their customers — data which, until now, was required to be kept very safe behind multiple layers of security controls.

One specific condition under the CDR legislation is that applications such as Flash, web servers and Java need to be patched within 48 hours of a security risk being uncovered. It’s important to remember, however, that the latest version of an application may not be the best version: patches often come with bug fixes, as well as new bugs.

There may be some flaws in the CDR requirements, particularly if complying with the legislation could inadvertently expose an organisation to new risks. Complying with the most basic requirements under the CDR, such as running a compliance-centric security program and implementing the latest policies, will not necessarily mean an organisation is secure.

We can look to the major Equifax incident in 2017 as an example. The credit card bureau had passed PCI compliance before they were ambushed by a data breach that exposed some 143 million customer details.

Perhaps the CDR legislation is too prescriptive about what a security framework should look like, and as a result may cause organisations to run and implement controls that may not be the best use of their valuable resources.

It’s important to also note there is a lack of detail in the CDR legislation about the consequences if organisations are non-compliant.

There’s no doubt that rolling out and complying with the CDR will be a complex exercise for Australian businesses.

Regardless, consumer-oriented organisations have a responsibility to protect their customer data. Part of getting that right is having complete transparency around what privacy controls are place, or not in place.

When companies attempt to cover up a data breach or to be ­covert about how they use customer data, it never works in their favour. In fact, it generally has the complete opposite effect.

Taking a customer-centric view of data and security is the right and ethical thing to do by your customers, and it also helps build trust in your business.

Neil Campbell is vice president APAC at Rapid7