Do you use tools like MYOB, Xero and Hubspot to keep your business humming? Make sure you don’t let your own cybersecurity weaknesses result in operational downtime, loss of brand and potentially even fines.
What type of information do you gather from your customers in order to do business with them? Is it ‘just’ the customer’s full name, address, and mobile number?
That data alone is enough to put your customers at risk should you be breached.
Add in other personal information, such as driver’s license or passport number or bank details and a breach puts your customers at high risk – and your business at high risk of being targeted and of potentially being penalised if you are breached.
It’s easy to think cybersecurity and data protection is the domain of big businesses, but changes to the Australian Privacy Act mean if you have had an annual turnover of more than $3 million any financial year since 2002, you are required to report data breaches that could cause serious harm under the Notifiable Data Breaches (NDB) scheme. If you haven’t adequately protected that data, you could face penalties.
Even if your annual turnover is less than $3 million, you may still be required to comply with the Privacy Act, depending on the type of business you are, and what you do within the business. Businesses handling sensitive information, such as health providers, including gyms, weight loss clinics, complementary therapists and childcare centres; businesses trading in personal information; operators of residential tenancy databases; credit reporting bodies; and businesses which hold and store individual tax file numbers are among those required to comply, even if they’re under the $3 million threshold.
That means businesses including health care providers, real estate agents and accountants/business advisors or recruitment agents could face action under the Privacy Act, no matter their size.
Which brings us to the second question: What practices and processes do you have in place to stop your customer – or employee – data being stolen?
Cybercriminals don’t discriminate – in fact, small businesses are prime targets because, just like the big companies, they collect the customer data that the cybercriminals want, but they’re also less likely to have cybersecurity protection.
The Australian Cyber Security Centre reports that it receives one cybercrime report every seven minutes – that’s 206 reports per day. And when it comes to small businesses, the average cost per cybercrime report is $39,000. Sadly, more than 60 percent of small businesses don’t survive a cyberattack or data breach.
The Privacy Act principles require that companies take ‘reasonable steps’ to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
No one will promise to secure your business 100 percent from cyberattacks. ¬The reality is there is no such thing as foolproof security. But by having appropriate cybersecurity in place, you’re not only protecting the data, you are also showing you’ve taken ‘reasonable steps’ – helping mitigate the risk of penalties.
Medibank, for example, was hit with a $250 million penalty after a hack saw nearly 10 million Australians’ personal data stolen. Yes, Medibank is a very large business. But the point here is that, in announcing the penalty, financial regulator APRA said it reflected ‘weaknesses identified in Medibank’s information security environment’.
If you’re dealing with personally identifiable information of any kind, no matter how big your business, cybersecurity must be a concern to you.
These two questions are among the five key questions Synergy believes are crucial for all small businesses. To find out more about these two – and the remaining three questions – download our Synergy Security Guide , The five key questions to keep your business cyber-safe.
If you’d like help to determine your current risk profile and security, contact the team at Synergy today.