These days, the risk of data breaches isn’t just something big corporations need to think about. Here are some essential tips and actions to help you protect your data security for your small business.
Some major data breaches have made the headlines recently – and, unfortunately, these are not likely to be the only major data leaks we’ll hear about in our heightened risk environment. If you collect any kind of personal information from your customers, you need to know your obligations under Australian law regarding the collection, storage and safety of that data.
Here are 7 things you need to know about privacy and data security, and actions you can take, to protect your business and customer data.
#1 Know the risks
By understanding the risks of cybercrime, you can take steps to try to protect your customers, your staff and the data you collect and store for your business.
Last financial year, the Australian Cyber Security Centre saw a cybercrime report made every seven minutes, on average. According to their Annual Cyber Threat Report 2022:
- The average cost of a cybercrime was more than $39,000 for a small business in the 2021-22 financial year.
- Cyber criminals are continuing to target Australian small businesses and individuals to seek sensitive information.
- 150,000 to 200,000 small office/home office routers in Australian homes and small businesses are vulnerable to compromise.
Spend around 20 minutes assessing the likely risks to your business through The Department of Industry, Science, Energy and Resources cyber security assessment tool. Be particularly aware of security around your internet connection and follow these steps to make your network more secure.
#2 Know your obligations
Keeping personal information secure is always important but only some small businesses are covered by the Privacy Act 1988. You can opt in to be covered by the Privacy Act, which could show your customers just how seriously you take their privacy.
Depending your business, industry and structure, your business may also need to comply with:
- Australian Privacy Principles (APPs)
- Part IIIA of the Privacy Act which relates to how you handle consumer credit information, including credit reports
- Privacy (Tax File Number) Rule 2015 which relates to how you handle your team’s tax file number information
Use the Office of the Australian Information Commissioner (OAIC) Privacy Checklist for Small Business or check with your legal adviser to see if your small business needs to comply with the Privacy Act. At the end of the OAIC checklist is information on opting in to be covered by the Privacy Act.
#3 Know what you can and can’t collect
It’s important to only collect personal information that you actually need for your business. As the OAIC website states: “Don’t collect personal information just because it may become necessary or useful at a later date. If you need it later, you can collect it then.”
Some of the data you collect will be personal information such as your customer and staff members’ names and contact details. Other details you need to collect could fall under the category of ‘sensitive information’. The OAIC defines this as “a specific set of personal information that includes an individual’s racial or ethnic origin, religious beliefs or affiliations and sexual orientation or practices. It also includes information about health, genetics and biometrics.”
This kind of sensitive information can only be collected with someone’s consent but may be necessary for your business, for example if you run a healthcare practice.
Read the Office of the Australian Information Commissioner (OAIC) tips to learn more about your obligations when handling personal information.
#4 Know how to store your data in the safest possible ways
If you do collect and store personal information, you need to proactively protect that information from unauthorised access, modification or disclosure. You also need to protect that data against being misused, interfered with or lost.
Once you no longer need personal information for the reasons allowed by the Privacy Act, unless you are required to keep it by law, you need to take reasonable steps to destroy or de-identify that information.
Learn about storing data securely in the OAIC Guide to securing personal information.
#5 Know how to protect your data and systems
According to the Australian Cyber Security Centre, keeping your devices and software up-to-date is an important step in keeping data secure. This includes information you might store using cloud-based systems.
When possible, choose automatic updates for your mobile, laptop and computers – but also check in regularly to make sure these updates are being performed correctly.
Multi-factor authentication (MFA) is also an important security measure to consider. This is when someone needs more than one way to confirm their identity. For example, if customers log into an account through your website, you might introduce an MFA system where your system sends a single-use code to their mobile. They would then need that code to use to log in to their account online.
Follow these tips from the Australian Cyber Security Centre to help keep your systems and devices secure.
#6 Know what to do in the event of a data breach
Under the Notifiable Data Breaches scheme, you need to let customers know if you have experienced a data breach which an organisation or agency that must comply with Australian privacy law has to tell you if a data breach is likely to cause you serious harm.
The faster you act in the event of a cybercrime against your business, the more protection you, your staff or the customer involved could have.
Just as you should have an emergency evacuation plan for your business, it’s important plan ahead for a digital emergency.
#7 Know the resources available to you as a small business owner
The Australian Cyber Security Centre and the OAIC provide a lot of valuable information and tools to help you manage data and privacy risks in your business.