According to the Australian Small Business and Family Enterprise Ombudsman (ASBFEO), SMEs contributed roughly $506 billion, or 32 per cent, to Australia’s GDP last financial year. The sector adds so much to Australia, both socially and economically. However, it has an Achilles heel, and hackers know this too, with two in five (43 per cent) cyber-attacks targeting SMEs.
Awareness is increasing following high-profile breaches to the likes of Optus and Medibank, but too many SMEs are not taking action according to Zoho research, which revealed that hundreds of thousands are unprepared for a breach or for new legislation. With regulation becoming more stringent and breaches growing in severity and regularity, SMEs will be unfairly and disproportionately impacted. For them, a breach could be catastrophic.
A looming threat
According to the Australian Cyber Security Centre (ACSC), over 76,000 cybercrime reports were received during the 2021-22 financial year, a 13 per cent increase from the previous year – and equating to one every seven minutes. In the last year, many large Australian businesses have fallen victim to significant cyber attacks, which have dominated news cycles and brought the issue of what data is collected, why and where it is stored, into focus.
According to Zoho’s recent research, those breaches have resulted in increased awareness amongst Australian SMEs, who understand that businesses of all sizes, in any industry, are susceptible to breaches. 45.4 per cent of respondents ranked data privacy as a top business priority, while a further 30 per cent said it was important. However, despite their heightened awareness, the research also revealed that many have done nothing in response and that a quarter of Australia’s two-and-a-half million SMEs would not survive the financial and reputational damage of a privacy breach.
Increased legislation
To combat the increasing threat of cybercrime, the Australian government is in the midst of reviewing The Privacy Act 1988, which concerns the collection, use, storage and disclosure of personal information. SMEs had previously been exempt, but under proposed reforms, millions would face steep fines and penalties for infringements or failure to comply.
Concerningly, our research found that only half of businesses (51.8 per cent) understand their requirements in accordance with the legislation, while 22.9 per cent say outright that they do not. Turning awareness into action, therefore, is essential.
Taking action
The vast majority of businesses today collect customer data, using it to understand, then better serve, their customers. Indeed, our research found that two-thirds of SMEs collect data about their customers and website visitors, bringing them under the jurisdiction of the legislation. This means that businesses must understand their legal obligations and communicate effectively with their customers.
While businesses cannot entirely immunise themselves from a privacy breach, there are many ways to reduce the risk or respond. SMEs must create a well-defined, documented and applied privacy policy that is communicated to their customers and followed by their employees. An effective policy not only helps businesses implement best practices and follow procedures to minimise the risk proactively but also helps them understand the steps required if they are targeted.
SMEs must also prioritise third-party technology vendors that prioritise data privacy, promote best practice and regularly audit their performance and privacy policy. SMEs cannot be expected to become privacy experts, so policymakers and technology vendors have an obligation to educate and support SMEs on risks, requirements and best practice.
It’s promising that awareness is increasing amongst SMEs, but the lack of action is making hundreds of thousands of businesses vulnerable both financially and reputationally. When SMEs have the right support and software, they can focus on what matters: running rewarding, fulfilling and successful businesses that contribute so much to Australia socially and economically.
