How can small and medium businesses safeguard against rising data privacy threats?

Small and medium businesses are the backbone of Australia's economy and the fabric that binds high streets and entire communities together. Across Australia, over two-and-a-half million entrepreneurs are turning a passion into a purpose, exercising greater control and autonomy over their careers and pursuing the heightened earning potential that business ownership can provide.

However, running an SMB isn't easy; far from it. There are risks in finance, retail, professional services, construction, healthcare or education. Few are more important, or concerning, than data breaches. According to the Australian Signals Directorate (ASD), the government body tasked with keeping Australians safe online, breaches are increasing in both severity and regularity. In the last financial year, it received over 36,700 calls to the Australian Cyber Security Hotline, up 12% from the previous year. The average cost of cybercrime for small businesses was AUD$49,600, eight per cent higher than the previous year. That's on top of the potential legal and reputational damage.

Despite these worrying statistics, so many SMBs still think that they're immune; that they're too small or don't preside over enough data to be targeted. The truth is, attacks are indiscriminate, and target vulnerabilities in a business' system, whether they're a global conglomerate or a family-run operation. Thankfully, improving safeguards for customer data and complying with evolving regulations needn't be as complicated or costly as many SMBs may worry.

Data privacy compliance

In Australia, SMBs must adhere to the Privacy Act 1988 and the Australian Privacy Principles (APPS), which govern personal information collection, storage, and processing. While small businesses have been exempt from the act for many years, the government will lift that exemption. After a transition period, businesses with an annual turnover of less than $3 million (meaning 92% of all Australian businesses) must comply. They'll face fines and penalties for non-compliance.

To safely navigate the transition, SMBs must develop best practices today. Most SMBs collect either more data than they realise or need. Often, it's stored in unsecured spreadsheets, outdated systems, or even email threads. Not only does this increase security risks, it makes compliance harder. Instead, small businesses should only collect essential personal data after obtaining clear and informed customer consent. What's more, what they do collect should be secured with encryption and restricted access. Worryingly, one in five (19.7%) SMBs didn't realise they had a legal responsibility to communicate with customers about the data they collect, according to Zoho research.

Integration and best practice

Many SMBs unknowingly expose themselves to risk due to outdated software, unsecured data storage and poor access controls. Cybercriminals target businesses with these types of vulnerabilities, so it's essential SMBs keep software and security tools updated.

SMBs often rely on multiple apps or vendors - many of which may not be necessary - in their operation. The more systems a business uses, the harder it becomes to safeguard customer data. This complexity and limited resources make it harder to ensure data privacy and security, increasing the risk of a breach. Instead, businesses can enhance their protections - and enjoy many other benefits - from an integrated technology stack, like Zoho, where privacy is the foundation and not a bolt on.

Often, data is accessible, unnecessarily, to too many employees. If an SMB implements role-based permissions, it ensures only authorised and trained personnel can view critical information. Regular security training, such as recognising phishing attempts, is equally important. Routine security audits help identify vulnerabilities before they're exploited. Multi-factor authentication protects against unauthorised access and encrypted backups provide a safety net against ransomware or accidental data loss. Monitoring access logs ensures businesses can track who interacts with customer data.

It's also essential to establish - and then regularly update - a privacy policy; a formal document that outlines how a business collects, uses, stores and protects customer data. It helps build trust, ensure compliance, promote best practice and increase awareness and accountability. According to Zoho research, fewer than half (44.6%) have a well-defined, documented and applied customer privacy policy. For SMBs without a policy, there are plenty of helpful resources though the government and local chambers of commerce, while accountants can be helpful sources of professional advice.

In addition to a privacy policy that is strictly adhered to and communicated with transparency, customers should have control, such as easy opt-out options. Consumers should have to opt in the first place, and it must be clear and easy for them to opt out subsequently.

Data security and training isn't a set-and-forget task. Threats are becoming more sophisticated, so it must be an ongoing focus for SMBs. For businesses of all sizes - even the smallest - data privacy and the need to comply with evolving regulations have never been more important. The benefit of a serious and strategic approach to privacy and security is about far more than compliance, though; it's about mitigating risks, building long-term trust and developing the foundation to thrive in today's digital world.