Cyber awareness amongst Australian small businesses

Data privacy has become a defining issue in today’s digital landscape. After a slew of data breaches of high-profile companies, data privacy concerns have made their way to the front pages.

To learn more about cyber awareness amongst Australia’s SMBs, Zoho Corp., in conjunction with capioIT, researched 784 small and medium Australian businesses in industries including retail, professional services, technology, education, and manufacturing.

Key findings of our research

Privacy awareness and concern is increasing amongst Australian SMBs in the wake of Optus and Medibank attacks, but action is low

1 in 4 local small businesses would fail to survive the financial or reputational damage of a privacy breach

1 in 4 do not understand what is expected of their business as part of recent Privacy Act changes

Awareness is increasing

In the wake of significant privacy breaches to major Australian organisations such as Medibank and Optus, Australian SMBs say data privacy has become a key priority.

45.4%
Almost half of respondents ranked
data privacy as a top business priority
30.0%
One in three ranked it as important,
but not their top priority
79.6%
Four in five acknowledged that those breaches have influenced their views on privacy concerns
64.8%
Of this, have taken action to improve
their protections

Action is slow

18.4

44.4

35.2

One third of businesses surveyed have become more concerned in the wake of major breaches, but have still not taken action
Fewer than half have a well-defined, documented and applied customer privacy policy
A further one in five either don’t have a data privacy policy, or do, but have never updated or reviewed it

- Vijay Sundaram,

Chief Strategy Officer at Zoho.

“Privacy breaches are increasing in regularity and severity. Unfortunately, while awareness is increasing, action isn’t. According to our research, 59.4% of SMBs understand that they’re as susceptible to breaches as big businesses. That could be exacerbated with so many SMBs unprepared for proposed regulatory changes or the impact of a breach in the first place.

“Small businesses can’t be expected to become privacy and security experts themselves, though. To turn awareness into action, policymakers and the technology industry must incentivise action, so that SMBs can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe, and privacy breaches more regular and damaging, SMBs will be unfairly and even catastrophically impacted.”

Catastrophic risk

As many as one in four SMBs say the impact of a privacy breach could be devastating for them, either financially or in terms of reputation.

Financially, would your business survive a significant privacy breach?

In terms of reputation, would your business survive a significant privacy breach?

Legislation and best practice

Small businesses have long been exempt from The Privacy Act 1988. However, under proposed reforms—which the government is currently consulting on and preparing for legislation—small businesses are expected to lose their exemption and face steep fines and penalties for infringements or failure to comply. Much of the legislation revolves around how data is collected, stored, and shared, and how breaches are responded to.

To what degree does the following statement apply to your business? “My business understands what is expected of it according to The Privacy Act 1988.”

14.9 Strongly agree

25.4 Neutral

32.5 Agree

19.3 Strongly disagree

8 Disagree

Which of the following best describes your company’s approach to customer data privacy?

45.6

Our company has a well-defined, documented policy to protect customer data that is strictly applied

17.7

Our company does not have a documented
customer data privacy policy

13.0

Our company has a well-defined, documented policy to customer data privacy but not strictly applied

7.9

Our company has a documented customer
data policy, but I haven’t read it

10.5

Our company has a less formal customer data
privacy policy that has not been fully documented

6.4

I do not know if we have a have a
customer data privacy policy

When did you last update or review your business’ data privacy policies?

Within the last 3 months
Over 5 years ago
3 - 6 months ago
Never
6 - 12 months ago
I don’t have a data privacy policy
1 - 5 years ago

25.1%

28.2%

18.2%

7.8%

2.3%

7.9%

10.5%

Do you know what to do if your business falls victim to a privacy breach?

46.2 I know exactly what to do
40.3 I have some idea of what to do
13.5 I have no idea what to do

About capioIT

capioIT was formed in 2010 by Phil Hassey to act as a trusted advisor to organisations looking to drive real business outcomes from investments in technology and business processes. Based in Sydney, Australia, capioIT works to “tilt the world view” to provide actionable outcomes for clients globally.