Key findings of our research
Privacy awareness and concern is increasing amongst Australian SMBs in the wake of Optus and Medibank attacks, but action is low
1 in 4 local small businesses would fail to survive the financial or reputational damage of a privacy breach
1 in 4 do not understand what is expected of their business as part of recent Privacy Act changes
Awareness is increasing
In the wake of significant privacy breaches to major Australian organisations such as Medibank and Optus, Australian SMBs say data privacy has become a key priority.
Action is slow
- One third of businesses surveyed have become more concerned in the wake of major breaches, but have still not taken action
- Fewer than half have a well-defined, documented and applied customer privacy policy
- A further one in five either don’t have a data privacy policy, or do, but have never updated or reviewed it
“Privacy breaches are increasing in regularity and severity. Unfortunately, while awareness is increasing, action isn’t. According to our research, 59.4% of SMBs understand that they’re as susceptible to breaches as big businesses. That could be exacerbated with so many SMBs unprepared for proposed regulatory changes or the impact of a breach in the first place.
“Small businesses can’t be expected to become privacy and security experts themselves, though. To turn awareness into action, policymakers and the technology industry must incentivise action, so that SMBs can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe, and privacy breaches more regular and damaging, SMBs will be unfairly and even catastrophically impacted.”
Catastrophic risk
As many as one in four SMBs say the impact of a privacy breach could be devastating for them, either financially or in terms of reputation.
Financially, would your business survive a significant privacy breach?
In terms of reputation, would your business survive a significant privacy breach?
Legislation and best practice
Small businesses have long been exempt from The Privacy Act 1988. However, under proposed reforms—which the government is currently consulting on and preparing for legislation—small businesses are expected to lose their exemption and face steep fines and penalties for infringements or failure to comply. Much of the legislation revolves around how data is collected, stored, and shared, and how breaches are responded to.
To what degree does the following statement apply to your business? “My business understands what is expected of it according to The Privacy Act 1988.”
Which of the following best describes your company’s approach to customer data privacy?
When did you last update or review your business’ data privacy policies?
- Within the last 3 months
- Over 5 years ago
- 3 - 6 months ago
- Never
- 6 - 12 months ago
- I don’t have a data privacy policy
- 1 - 5 years ago
Do you know what to do if your business falls victim to a privacy breach?
- 46.2 I know exactly what to do
- 40.3 I have some idea of what to do
- 13.5 I have no idea what to do
About capioIT
capioIT was formed in 2010 by Phil Hassey to act as a trusted advisor to organisations looking to drive real business outcomes from investments in technology and business processes. Based in Sydney, Australia, capioIT works to “tilt the world view” to provide actionable outcomes for clients globally.