One in four SMBs wouldn't survive a breach

One-quarter of Australia’s two-and-a-half million small and medium businesses (SMBs) would struggle to survive the financial and reputational damage of a privacy breach, according to new research from Zoho.

The research found that, while awareness is growing, too many businesses are unprepared and unequipped to deal with a privacy breach or cyber incident. From a study of 784 Australian SMBs in industries including retail, professional services, technology, education and manufacturing, 24% said they would not survive the financial impact of a privacy breach, while 23.7% said they could not recover from the reputational hit.

Awareness increasing, action not

In the wake of significant privacy breaches to major Australian organisations including Medibank, Optus and Telstra, Australian SMBs say data privacy has become a key priority. Almost half (45.4%) of respondents ranked data privacy as a top business priority, while one in three (30%) ranked it as important. Four in five (79.6%) acknowledged that those breaches have influenced their views on privacy concerns, and of this, 64.8% have taken action to improve their protections.

While understanding and awareness is high, action is not. One-third (35.2%) have become more concerned in the wake of major breaches, but have still not taken action. Fewer than half (44.4%) have a well-defined, documented and applied customer privacy policy. Meanwhile, a further one in five (18.4%) either don’t have a data privacy policy, or do, but have never updated or reviewed it.

“Data privacy is one of the defining issues for the business community today. Unfortunately, while awareness and concern is increasing, action is not,” commented Vijay Sundaram, Chief Strategy Officer at Zoho.

“According to our research, the majority (59.4%) of small and medium businesses understand that they’re just as susceptible to a breach as big businesses. However, that is still failing to translate into action; an issue that could become exacerbated with so many SMBs unprepared for proposed regulatory changes or the impact of a breach in the first place.

“Small businesses cannot be expected to become privacy and cybersecurity experts themselves, though. To turn awareness into action, the technology industry and policymakers must incentivise action so small businesses can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe and privacy breaches more regular and damaging, SMBs will be unfairly and disproportionately impacted. For them, a breach could be catastrophic.”

An increasing threat

Privacy breaches have been increasing in severity and regularity in recent years. The Australian Cyber Security Centre (ACSC) received over 76,000 cybercrime reports in the 2021–22 financial year. A 13% increase compared to the year before, and representing one report every seven minutes.

Currently small businesses are exempt from the Privacy Act 1988. However, under proposed reforms — which the government is currently consulting on and preparing draft legislation — small businesses are expected to lose their exemption and would be liable to steep fines and penalties for infringements or failure to comply.

However, only 51.8% of respondents believe that their business understands its requirements in accordance with the Privacy Act 1988. Meanwhile, one-quarter (22.9%) say they do not understand the privacy requirements laid out in the Privacy Act 1988. The legislation concerns the collection, use, storage and disclosure of personal information.

Two-thirds (64.5%) of small businesses collect data about their customers and website visitors, which would bring them under the jurisdiction of the legislation. Over half (58.6%) communicate with their clients or customers about the data that they collect. However, a very significant minority (41.4%) had not communicated with their clients. In total, one in five (19.7%) did not realise they had a responsibility to do so.

Fewer than half (46.2%) of respondents claim to know exactly what to do if they fell victim to a privacy breach. Meanwhile, 40.3% had some idea of what to do, but 13.5% — equating to almost 350,000 businesses — claim to have ‘no idea’ what to do if they were the victim of a breach.

Cookies

Much of the debate around data privacy centres on the use of ‘cookies’, which track and store user data on websites. Over half (57.5%) of respondents collect or use cookies on their business’s websites, apps or software. Just 5.4% did not know if they collected data via cookies — considerably lower than 35% of businesses in 2021.

In total, 56.7% of businesses fully understand the role of cookies, while a further 31.2% somewhat understand the characteristics. One in 10 businesses (11.2%) said they did not understand, but were taking steps to learn.

“We work with SMBs in various industries like health care, defence contractors, human intelligence, refugee resettlement programs, political organisations and more. Data privacy is a significant focus for them and their customers, and a responsibility they take very seriously. There are also many SMBs who think they’re too small to be at risk, and so aren’t making any efforts to protect their business or their customers,” said Matt Koopmans, CEO and founder of Zoho channel partner Aurelian Group.

“It’s promising to see an increase in awareness in Zoho’s research, which we recognise in our clients. Awareness is the first step, it is time to put it into action. The threat to small business is real, and is exacerbated by complacency.

“Regardless of upcoming legislation and consumers becoming more concerned about their data privacy, small businesses should ask themselves: ‘Does the data I collect have value for my business and my customers?’. If it doesn’t add value, it adds cost and risk. What you don’t keep cannot be stolen.

“Only if the answer is ‘yes, this information is of value to my business operations’, small businesses must reduce risk for both them and their customers; have a clear policy outlining what client data is to be retained, what software or services are sanctioned to be used that can access that data. Businesses shouldn’t use software that they don’t trust, be vigilant in vetting the vendors they do engage, educate their staff about best practice, communicate openly with their customers and put in place plans and policies to guide their response to a breach,” Koopmans said.

Image credit: iStock.com/Artur