Telco breaches a warning to small business

The Australian news cycle has been dominated by not one, but two, high-profile and potentially highly damaging cybersecurity incidents in recent weeks. The data of millions of Aussies was compromised in a significant attack on Optus in late September, which was swiftly followed by a separate incident at Telstra. Collectively, the two have sent reverberations around the business community, elevating data privacy and cybersecurity back to the top of the agenda — and rightly so.

If two of our largest, best-resourced businesses can fall victim to a breach, so can any business. In fact, cyber attacks are entirely random, targeting businesses of any size by exploiting vulnerabilities in their systems. The Australian Cyber Security Commission (ACSC) responded to over 67,500 cyber crime reports in the last financial year — an increase of nearly 13% from the previous year. That equates to one every eight minutes.

In the worst-case scenario, privacy breaches can be the end of the business in question. For Australia’s roughly 2.5 million small businesses, these attacks should send a dire warning. They must not stand idly by, wrongly assuming they are too small to be targeted.

Small businesses at risk, and unprepared

Attacks are not only increasing in regularity, but also in severity. To better understand the small business mindset around data privacy, Zoho conducted research across a range of industry sectors including: education, financial services, retail, health care, insurance, manufacturing, mining, professional services, retail and technology.

The results revealed that just 35% of Australian small businesses currently have a defined, documented and enforced privacy policy regarding the personal data collected, used and disclosed through their organisation. A further 27% either don’t have a privacy policy or don’t know if they do, while 38% have an informal or unenforced policy.

Since the Optus news broke, policymakers (including Privacy Commissioner Angelene Falk on the ABC’s 7.30) have suggested that existing data privacy laws — which can see offenders face significant fines and penalties — might be extended to small businesses. Currently, any business with an annual turnover in excess of $3 million must notify the Privacy Commissioner if their customer data is exposed. Small businesses — often those with less sophisticated cyber protection — are exempt, but they might not be for long.

Awareness, education and action

Policymakers are right to take action — after all, for us to feel the full benefits of digital transformation we must safeguard against its Achilles heel. As a matter of best practice all businesses have a duty to protect their businesses and the data of those using it. Those that fail to do so could be more susceptible to breaches. However, with Zoho research showcasing how few small businesses would be prepared for such a policy, the technology industry and policymakers must first do more to drive awareness, prioritise education and encourage action.

It is still too easy for small businesses to overlook their responsibilities when it comes to data privacy, but the threat and the potential cost are real. Small businesses cannot be expected to become privacy and cybersecurity experts, so the technology industry and policymakers must make awareness, education and action amongst these businesses a top priority. Otherwise, with regulation becoming more stringent, penalties more severe and attacks more prevalent and damaging, small businesses will be unfairly and disproportionately impacted.

Only 20% of small businesses believe that third-party vendors have done a good job of explaining how their information is being used. In comparison, 31% believe vendors have done a bad or unsatisfactory job, and a further 31% hadn’t even considered the issue; evidence that basic awareness is too low. A third (33%) are entirely unaware that data tracking occurs via cookies in their digital business while a further 32% are aware that tracking happens but do not communicate it to their customers.

Before passing reforms, policymakers must give small businesses time to prepare — and guidance on best practice and how to implement it. Clear, authoritative and jargon-free advice and guidance must be readily available, while business groups, accountants and other advisors must be tasked with spreading awareness amongst their members and customers.

The industry has a role too and must do more to explain to their small business customers how data is collected and stored through their software. Greater data privacy must also be made a foundational part of all small business technology, not just an optional add-on. Over 20 years ago, it was decided that Zoho would never implement a business model that generated revenue through advertising and data. This meant third-party cookies were banned from our software, as we believe our customers’ data belongs to them, not to us — or anyone else.

By now, small business owners will be aware of the Optus and Telstra breaches. Our fear, though, is that only a small number will have heeded the warnings. Data privacy is one of the defining issues for the business community today. Unfortunately, confusion and uncertainty reign supreme amongst Australia’s small businesses, many of whom are unprepared and vulnerable. Through awareness, education and action, though, we can give our small business community the peace of mind that they have policies and protections in place in the event of something unexpected.

Image credit: iStock.com/Traitov