Is your business at risk of a data breach?

 The number of small businesses falling victim to cyber crime is on the rise in Australia. More than 500,000 small businesses were impacted by cyber attacks in 2017, a survey by IT company Norton reveals.

That’s a huge impact on the Australian economy, particularly given the amount of downtime that small businesses suffer after a cyber attack is usually 25 hours or more.

The impact of a breach on your business could be severe, and even impact your professional reputation.

Professor Matthew Warren, Deputy Director of Deakin’s Centre for Cyber Security Research and Innovation, says that business owners are increasingly dependent on IT systems, which makes them more vulnerable to new and emerging security risks.

“From hairdressers to builders, accountants to GPs, small businesses are using IT to improve, expand, and market their services. That includes things like booking services, online sales, social media promotion, websites, and customer databases.”

However, lack of resources, expertise, or understanding can mean that small businesses aren’t always able to protect their systems and key data.

“They’re using technology from a convenience perspective, but without properly understanding the privacy and security risks,” Professor Warren says.

What is a data breach?

A data breach occurs when personal information held by a small business is lost or subject to unauthorised access or disclosure.

This could include a device containing customers’ personal information being lost or stolen, a database containing personal information being hacked, or personal information mistakenly being provided to the wrong person. It may also include the accidental leaking of information, such as customers’ credit card details, tax information, or home address details.

A security breach can be brought about by a range of factors:

Accidental: Human error caused by mistakes or a lack of education on correct practice.
Negligent: Caused by employees avoiding their responsibilities or the policies put in place.
Malicious: Cyber attacks from someone inside the business or an external source.

Small businesses need to act to ensure they meet the Notifiable Data Breaches (NDB) scheme of the Privacy Act, which was introduced at the start of 2018. It mandates that small businesses must report data breaches to authorities and also members of the public, if they believe or are aware that data has been compromised.


Is your business prepared?

Authorities urged small businesses to step up their cyber security last year, but it appears that many have not done so. In fact, 57 per cent of SMEs haven’t undertaken any sort of IT security assessment in the last 12 months, putting their small business at major risk.

Cyber attacks can occur in countless ways, and you can never be 100 per cent safe.

As a small business owner, you should think about cyber security in the same way you think about regular security, such as locking the door when you leave your house or not sharing trade secrets with your competitors.

Cyber Security: The Small Business Best Practice Guide suggests that a business-wide policy should be developed, so everyone knows that cyber security is a priority.

The guide explains that if cyber security is considered as more of an IT issue, it doesn’t send the message that it’s a top priority and won’t make your business or employees cyber secure. It’s important to establish and communicate team responsibilities in order to build a cyber-aware business.

Sydney-based small business owner Salina Hainzl runs an ecommerce store called A virus nearly bought her business to its knees, showing her the importance of back-ups.

“Data security is certainly an easy oversight in this day and age when everything is on cloud and shared,” she says.

The site has also been hacked six times. When Salina contacted her IT company, who were able to clean up her site, she was shocked to discover that only the previous three days’ worth of orders could be retrieved from the back-up.

Salina made the decision to move her site to Shopify, which offered better security than her previous domain host.

Reputational damage

James Eling, IT expert and manager director of Victoria’s Extreme Networks, cautions that a breach could spell reputational damage or a loss of customers.

“Theft of customer contact details is a real threat in most businesses, especially from disgruntled employees. A lot of the measures small businesses need to implement are simply procedural, to ensure that access to data is kept to only those requiring it to do their jobs,” James says.

His advice to business owners is to put the necessary controls in place, limiting what employees can access. This includes adequate antivirus, transporting data with encrypted USB keys, and ensuring laptops are encrypted. Make sure documents are kept in locked storage and that computer back-ups are tested.

Most small businesses can dramatically improve the security of their data for less than $1,000, James says.

“That would cover a good back-up system, encrypting data, and locking documents away, such as a lockable filing drawer,” he says.