SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Making cyber security and data privacy a big issue for small businesses
Wed, 19th Oct 2022
FYI, this story is more than a year old

 

Australia has been rocked in recent weeks by the news that two of our biggest, most recognised companies - Optus and Telstra - have fallen victim to a cyber attack. The personal information - our most prized asset - of millions of Aussies have been compromised; with the two companies facing severe penalties and sanctions. They’re just the most high-profile examples of thousands of attempted attacks that occur amongst Australian businesses every year.

The Australian Cyber Security Commission (ACSC), the government body tasked with keeping Australia and Australians safe online, responded to almost 70,000 cyber crime reports in the last financial year. That’s an increase of nearly 13% from the previous year and equates to roughly one reported attack every eight minutes. For Australia’s 2.5 million small businesses, it’s easy to brush off the news and the threat of something similar befalling them. However, they’re just as at-risk, and without the resources of big businesses like Optus and Telstra, the damage could be devastating. 

To feel the full benefits of today’s digitally transformed world, we must safeguard against its Achilles heel. For the sake of our small businesses, we must raise awareness, educate and take action.

Awareness and education

For small businesses, it’s incredibly easy to ignore the warnings. Many business owners convince themselves that they’re too small and don’t hold enough valuable information to be targeted. That, unfortunately, is wrong - and dangerous. Cyber attacks are entirely random, targeting businesses of any size, by exploiting vulnerabilities in their systems. A cyber attack can maliciously disable computers, steal or compromise data, and even use a breached computer to target others.

It sounds like something from a science fiction movie but they’re increasing in regularity, and severity. Unfortunately, many of the millions of small businesses in Australia are either entirely unaware of the risks or, worse still, are but aren’t taking action. Research of almost 1,000 Aussies businesses by Zoho reveals that just one in three (35%) small businesses currently have a ‘defined, documented and enforced privacy policy regarding the personal data collected, used and disclosed through their business’. One quarter (27%) don’t have a privacy policy or don’t know if they do, and 38% have an ‘informal or unenforced’ policy.

Small businesses cannot be expected to become privacy and cyber security experts, so the technology industry and policymakers must raise awareness and incentivise action amongst these businesses as a priority. Today, only 20% of small businesses think third-party vendors have done a good job of explaining how their information is used and accessed. One in three (31%) believe vendors have done a bad or unsatisfactory job, and a further 31% hadn’t even considered the issue; evidence that basic awareness is too low. 

The duty is on the technology industry and policymakers to do more. Urgently, too, as policymakers hint at possible reforms that will affect small businesses.

Taking action

Earlier this month, Australia’s Privacy Commissioner, Angelene Falk, suggested that existing data privacy laws might be extended to small businesses. Currently, any business with an annual turnover of $3 million or more must notify the Privacy Commissioner if customer data is exposed. If they don’t, heavy fines and sanctions can apply. Today, small businesses are exempt, but might not be for long. 

As a matter of best practice all businesses - including our small businesses - have a duty to protect their businesses and the data of those using it. Those that fail to do so could be more susceptible to breaches. However, with Zoho research demonstrating how few small businesses would be prepared for the policy, the technology industry and policymakers must first do more to raise awareness, drive education and incentivise action.

Before extending the proposed reforms, policymakers must allow small businesses time to prepare. They must make clear, authoritative and jargon-free advice, accessible to all. Local chambers of commerce, business mentors, accountants and local governments must be tasked with spreading awareness at a grassroots level amongst both existing and aspiring business owners. 

Technology vendors play an important role too. All SaaS platforms must explain explicitly to small businesses how data is collected and stored through their software. These same vendors must also make data protection a built-in foundation of their software. Unfortunately, because data collection is so valuable today, this happens far too infrequently. However, at Zoho, we decided 26 years ago that we would never have a business model that made revenue through advertising and data. We banned third-party cookies - which collect, store and share customer data without their consent - from our software because their data belongs to them, and them only.

Small businesses are more technologically advanced than ever, but cyber security awareness is still lagging. Optus and Telstra are not small businesses, but should be taken as a real warning. Small businesses must look at these examples and understand ‘if it can happen to them, it can happen to me’. Awareness, education and action are the foundational pillars of a safer, more secure online world for all of us.