As privacy awareness and concern surge among Australian small and medium-sized businesses (SMBs), fuelled by recent high-profile attacks on companies like Optus and Medibank, a concerning gap persists between awareness and action.
Shockingly, one in four local SMBs would be unable to weather the financial or reputational storm caused by a privacy breach. Equally alarming, another one in four SMBs remains unclear about their obligations amid recent changes to the Privacy Act.
New research by the global technology platform Zoho highlights the vulnerability of Australia’s small and medium businesses (SMBs) to privacy breaches. Based on a survey of 784 SMBs across various sectors, the study found that a quarter of these businesses (24%) believe they would not survive the financial impact of a privacy breach, while nearly a quarter (23.7%) feel they could not recover from the reputational damage caused by such an incident.
Although awareness of cybersecurity issues is increasing among Australian SMBs, many remain unprepared and ill-equipped to handle privacy breaches. Nearly half of the respondents (45.4%) ranked data privacy as a top business priority, with an additional 30% considering it important. The influence of major breaches on their perceptions is evident, as almost 80% acknowledged that these incidents had shaped their concerns about privacy. However, while understanding and awareness are high, action is lacking, with one-third (35.2%) expressing increased concern but failing to take action.
Moreover, less than half of the surveyed businesses (44.4%) have a well-defined, documented, and applied customer privacy policy, and some either lack a data privacy policy or have not updated or reviewed it (18.4%).
The recent privacy act changes
Vijay Sundaram, Chief Strategy Officer at Zoho, stated, “Data privacy has become a paramount concern in today’s landscape, and it is encouraging to see policymakers taking steps to enhance awareness, incentivize action, and reinforce safeguards. The Australian government is currently deliberating substantial reforms to The Privacy Act 1988, a statute that presently grants small businesses an exemption. However, these proposed reforms would eliminate this exemption, potentially subjecting them to fines and penalties for privacy breaches or non-compliance. While any policy aimed at safeguarding businesses, consumers, and data online is commendable, it is imperative that small businesses receive the necessary time, guidance, and resources to achieve compliance. According to Zoho’s research, just 51.8% of respondents believe their businesses understand their obligations under The Privacy Act 1988, and an additional 22.9% acknowledged a lack of comprehension regarding the legislation’s privacy requirements. Without adequate support and education to facilitate compliance, these businesses may bear a disproportionate burden.”
Vijay emphasized the need for the technology industry and policymakers to incentivize action among small businesses to protect themselves and their customers. He highlighted the potential catastrophic impact of a privacy breach, especially as regulatory changes loom, and penalties become more severe.
Privacy breaches have been on the rise in recent years, with the Australian Cyber Security Centre receiving over 76,000 cybercrime reports in the 2021-22 financial year, representing a 13% increase from the previous year. Proposed reforms could remove the exemption currently enjoyed by small businesses under The Privacy Act 1988, making them liable for fines and penalties for non-compliance.
However, Zoho’s research indicates that many SMBs are not fully aware of their obligations under the existing legislation. Only 51.8% believe their business understands the requirements outlined in The Privacy Act 1988, while 22.9% admit to not understanding these requirements. This legislation governs the collection, use, storage, and disclosure of personal information.
Notably, a significant portion of small businesses collect customer data (64.5%) and communicate with clients about data collection (58.6%), but some are unaware of their responsibilities in this regard (19.7%).
When it comes to responding to a privacy breach, fewer than half (46.2%) of respondents claim to know exactly what to do, while 13.5% have “no idea.”
In terms of data privacy practices, over half (57.5%) of respondents collect or use cookies on their business websites, with a majority (56.7%) demonstrating a solid understanding of cookies’ role. However, some are still in the process of learning (11.2%).
“We work with SMBs in various industries like healthcare, defence contractors, human intelligence, refugee resettlement programs, political organisations and more. Data privacy is a significant focus for them and their customers, and a responsibility they take very seriously. There are also many SMBs who think they’re too small to be at risk, and so aren’t making any efforts to protect their business or their customers,” commented Matt Koopmans, CEO and Founder of Aurelian Group, a Zoho channel partner.
“It’s promising to see an increase in awareness in Zoho’s research, which we recognise in our clients. Awareness is the first step, it is time to put it into action. The threat to small business is real, and is exacerbated by complacency.
“Regardless of upcoming legislation and consumers becoming more concerned about their data privacy, small businesses should ask themselves: ‘Does the data I collect have value for my business and my customers?’. If it doesn’t add value, it adds cost and risk. What you don’t keep, cannot be stolen. Only if the answer is ‘yes, this information is of value to my business operations’, small businesses must reduce risk for both them and their customers; have a clear policy outlining what client data is to be retained, what software or services are sanctioned to be used that can access that data.
“Businesses shouldn’t use software that they don’t trust, be vigilant in vetting the vendors they do engage, educate their staff about best practice, communicate openly with their customers and put in place plans and policies to guide their response to a breach.”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.