Australia has been rocked in recent weeks by the news that two of our largest and most recognized companies – Optus and Telstra – have been victims of a cyberattack. The personal information – our most valuable asset – of millions of Australians has been compromised; both companies being subject to severe penalties and penalties. These are just the most high-profile examples of the thousands of attempted attacks that occur every year among Australian businesses.
The Australian Cyber Security Commission (ACSC), the government body responsible for keeping Australia and Australians safe online, responded to nearly 70,000 reports of cybercrime in the last financial year. This represents an increase of almost 13% over the previous year and equates to approximately one reported attack every eight minutes. For Australia’s 2.5 million small businesses, it’s easy to ignore the news and the threat of something similar happening to them. However, they are equally at risk, and without the resources of big companies like Optus and Telstra, the damage could be devastating.
To fully experience the benefits of today’s digital world, we need to guard against its Achilles heel. For the sake of our small businesses, we need to raise awareness, educate and take action.
Awareness and education
For small businesses, it’s incredibly easy to ignore warnings. Many business owners convince themselves that they are too small and do not have enough valuable information to be targeted. This is unfortunately false – and dangerous. Cyberattacks are entirely random, targeting businesses of all sizes, exploiting vulnerabilities in their systems. A cyberattack can maliciously disable computers, steal or compromise data, and even use a hacked computer to target other people.
Small businesses cannot be expected to become privacy and cybersecurity experts, so the tech industry and policy makers must raise awareness and drive action among these businesses as a priority. Today, only 20% of small businesses believe that third-party vendors have made it clear how their information is used and accessed. One in three (31%) think suppliers did a bad or unsatisfactory job, and a further 31% didn’t even consider the issue; evidence that basic awareness is too low.
It’s up to the tech industry and policymakers to do more. Urgently too, as policymakers hint at possible reforms that will affect small businesses.
To take part
Earlier this month, Australian Privacy Commissioner Angelene Falk suggested that existing data privacy laws could be extended to small businesses. Currently, any company with annual revenue of $3 million or more must notify the Privacy Commissioner if customer data is exposed. If they fail to do so, heavy fines and penalties may apply. Today, small businesses are exempt, but maybe not for long.
As a good practice, all businesses – including our small businesses – have a duty to protect their business and the data of those who use it. Those who don’t might be more vulnerable to violations. However, with Zoho’s research showing that few small businesses would be prepared for this policy, the tech industry and policymakers must first do more to raise awareness, drive education, and spur action.
Before scaling up proposed reforms, policymakers should give small businesses time to prepare. They must make clear, authoritative and jargon-free advice accessible to all. Local chambers of commerce, business mentors, accountants and local governments should be tasked with raising local awareness among existing and potential business owners.
Technology providers also play an important role. All SaaS platforms must explicitly explain to small businesses how data is collected and stored through their software. These same vendors must also make data protection an integrated foundation of their software. Unfortunately, because data collection is so valuable today, it happens far too rarely. However, at Zoho, we decided 26 years ago that we would never have a business model that generates revenue through advertising and data. We have banned third-party cookies – which collect, store and share customer data without their consent – from our software because their data is theirs, and theirs alone.
Small businesses are more technologically advanced than ever, but cybersecurity awareness still lags behind. Optus and Telstra are not small companies, but should be taken as a real warning. Small businesses need to look at these examples and understand “if it can happen to them, it can happen to me”. Awareness, education and action are fundamental pillars of a safer and more secure online world for all of us.