More than 600,000 Australian small and medium businesses would not survive a privacy breach, Zoho finds

A quarter of Australia’s two-and-a-half million small and medium businesses (SMBs) would not survive the financial and reputational damage of a privacy breach, according to research by global technology platform Zoho. The research, which sought to understand cyber awareness amongst Australia’s SMBs, found that while awareness is growing, too many businesses are unprepared and unequipped to deal with a privacy breach or cyber incident.

What were the findings of Zoho’s survey?

Based on the research of 784 Aussie SMBs in industries including retail, professional services, tech, education and manufacturing, 24% said they would not survive the financial impact of a privacy breach, while 23.7% said they could not recover from the reputational hit.

Awareness increasing, action is not

In the wake of significant privacy breaches to major Aussie firms like Medibank, Optus and Telstra, Australian SMBs say data privacy has become a key priority. Almost half (45.4%) of respondents ranked data privacy as a top business priority, while one in three (30%) ranked it as important. Four in five (79.6%) revealed that the breaches have influenced their views on privacy concerns, and of this, 64.8% have taken action to improve their protections.

While awareness is high, action is not. One third (35.2%) have become more concerned in the wake of breaches, but have still not taken action. Fewer than half (44.4%) have a well-defined, documented and applied customer privacy policy. Also, a further one in five (18.4%) either don’t have a data privacy policy, or do, but have never updated or reviewed it.

“Data privacy is one of the defining issues for the business community today. Sadly, while awareness and concern is increasing, action is not. According to our research, the majority (59.4%) of small and medium businesses understand that they’re just as susceptible to a breach as big businesses,” commented Vijay Sundaram, Chief Strategy Officer at Zoho.

Vijay Sundaram, Chief Strategy Officer at Zoho
Vijay Sundaram, Chief Strategy Officer at Zoho

“But that is still failing to translate into action; an issue that could become exacerbated with many SMBs unprepared for regulatory changes or impact of a breach. Small businesses cannot be expected to become privacy and cyber security experts themselves, though.”

“To turn awareness into action, the technology industry and policymakers must incentivise action, so small businesses can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe and privacy breaches more regular and damaging, SMBs will be unfairly and disproportionately impacted. For them, a breach could be catastrophic,” Vijay Sundaram further added.

Privacy breaches an increasing threat

Privacy breaches have been increasing in severity and regularity in recent years. The Australian Cyber Security Centre (ACSC) received over 76,000 cyber crime reports in the 2021-22 financial year. A 13% increase compared to the year before, representing a report every seven minutes. Currently small businesses are exempt from The Privacy Act 1988.

However, under proposed reforms – which the Federal government is currently consulting on and preparing draft legislation – small businesses are expected to lose their exemption and would be liable to steep fines and penalties for infringements or failure to comply.

But according to Zoho’s research, only 51.8% believe that their business understands its requirements in accordance with The Privacy Act 1988. Meanwhile one quarter (22.9%) say they do not understand the privacy requirements laid out in The Privacy Act 1988. The legislation concerns the collection, use, storage and disclosure of personal information.

Two thirds (64.5%) of Australian small businesses surveyed collect data about their customers and website visitors, which would bring them under the jurisdiction of the legislation. Over half (58.6%) communicate with their clients or customers about the data that they collect. But a very significant minority (41.4%) had not communicated with their customers. In total, one in five (19.7%) did not realise they had a responsibility to do so.

Fewer than half (46.2%) of respondents claim to know what to do if they fell victim to a privacy breach. Also, 40.3% had some idea of what to do, but 13.5% – equating to almost 350,000 businesses – claim to have ‘no idea’ what to do if they were the victim of a breach.

More than half of Aussie businesses use cookies

Much of the debate around data privacy centres on the use of ‘cookies’, which track and store user data on websites. Over half (57.5%) of respondents collect or use cookies on their business’ websites, applications, or software. Just 5.4% did not know if they collected data via cookies – which is lower than 35% of businesses in 2021 according to the report.

In total, 56.7% of businesses surveyed across the country fully understand the role of cookies, while a further 31.2% somewhat understand the characteristics. One in ten businesses (11.2%) said they did not understand, but were taking steps to learn.

What do the findings mean for business leaders?

“We work with Australian SMBs in various industries like healthcare, defence contractors, human intelligence, refugee resettlement programs, political organisations and more. Data privacy is a significant focus for them and their customers, and a responsibility they take very seriously,” said Matt Koopmans, CEO and Founder of Aurelian Group, a Zoho channel partner.

Matt Koopmans, Founder and Chief Executive Officer at Aurelian Group
Matt Koopmans, Founder and Chief Executive Officer at Aurelian Group

“There are many SMBs who think they’re too small to be at risk, and so aren’t making any efforts to protect their business or clients. It’s promising to see an increase in awareness in Zoho’s research, which we recognise in our clients. Awareness is the first step, it is time to put it into action. The threat to small business is real, and is exacerbated by complacency.”

“Regardless of upcoming legislation and consumers becoming more concerned about their data privacy, small businesses should ask themselves: ‘Does the data I collect have value for my business and my clients?’. If it doesn’t add value, it adds cost and risk,” Koopmans said.

“What you don’t keep, cannot be stolen. Only if the answer is ‘yes, this information is of value to my business operations’, small businesses must reduce risk for both them and their customers; have a clear policy outlining what client data is to be retained, what software or services are sanctioned to be used that can access that data,” Koopmans further added.

“Businesses shouldn’t use software that they don’t trust, be vigilant in vetting the vendors they do engage, educate their staff about best practice, communicate openly with their customers and put in place plans and policies to guide their response to a breach.”