Ignorant SMBs wearing the blame as security-conscious customers opt out of data collection

Months after it came into effect, 19 percent of SMBs still haven’t heard of the NDB scheme

Growing consumer caution about sharing personally identifiable information (PII) is creating problems for Australian small and medium businesses (SMBs) that say PII is “essential” to their everyday operations, according to a new survey of security attitudes that found nearly half of SMBs still haven’t completed a security risk assessment.

Fully 42 percent of 528 ?Australian SMBs responding to the HP Australia IT Security Study 2018 said they had not completed an IT risk assessment, and a further 17 percent weren’t sure if they had completed an assessment or not.

Costs and a lack of knowledge and skills were cited as the biggest barriers to completing such an audit, with just 39 percent of respondents saying they have a dedicated IT security specialist looking after their infrastructure and customers.

“Most business owners understand that a data breach has the potential to cost them customers, revenue and their reputation,” said HP South Pacific interim managing director Paul Gracey in a statement.

“But they are naturally laser-focused on growing their business and doing what they do best, rather than IT security – so need to look to technology partners to help them navigate these new data privacy imperatives.”

Even with partners onboard, however, SMBs face an uphill battle given global GDPR-driven trends that favour giving consumers greater transparency and control over the data that companies are amassing about them.

Some 46 percent of the HP respondents said their customers were opting out of data collection and sharing activities, limiting their ability to deliver better targeted services.

Yet the gap in expectations is only being fuelled by SMBs’ perception that upgraded software – favoured as a security strategy by 38 percent of respondents – is a better security investment than implementing new policies (31 percent), training staff on security (30 percent), or investing in endpoint device security (26 percent).

This had left SMBs faring poorly in the context of the notifiable data breaches (NDB) scheme, which demands a higher level of visibility and accountability for poor security.

Given the flood of data breaches reported under the NDB scheme already – figures released in July suggested Australian companies were suffering an average of 81 breaches per month, and new figures to be released by the end of October may worsen the situation – consumers may be right to be wary.

“Once personal information is compromised, cybercriminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts,” Mimecast Australia-New Zealand country manager Nick Lennon said in a statement in the wake of airline Cathay Pacific’s announcement this month that an estimated 9.4 million passenger details were stolen from it back in March.

“These impersonation attacks are now the easiest way for criminals to steal money and valuable data,” he said.

When even large companies with security budgets are getting compromised with such regularity, consumers will hardly be reassured by the HP survey’s finding that 19 percent of Australian SMBs still have not heard of the NDB scheme – nine months after it came into effect – and 25 percent don’t know anything about the GDPR.

Fully 51 percent of surveyed SMBs don’t have policies in place to protect their data in line with the new laws – suggesting that a significant amount of PII remains exposed and open to exploitation or theft.

SMBs should draw on available resources from the likes of the Office of the Australian Information Commissioner (OAIC) to run security self-assessments and kick their data-protection efforts into gear, Gracey said.

“While conducting a self-assessment sounds simplistic, it is the quickest and most cost-effective way to measure how well your business is meeting its privacy obligations,” he said. “It can help you identify where there is room to improve your existing privacy management framework by identifying potential risks and weak spots and then working to mitigate them. It is a good place for small businesses to start.”