03 Dec 2014

Privacy, compliance and the SME: A risk no one needs to take

In 2014 we saw a significant uptick in the regulatory and community expectations on how customer data and privacy would be handled by organisations. New privacy laws were brought into effect with stiff penalties for organisations found to be behaving insecurely with customer data, and the Federal Government’s data retention strategy brought into sharp focus for many consumers just how much of their data was out there in the internet ether.

In other words, 2014 was the perfect storm of increased regulation and increased customer awareness, and that has turned data into a bigger business risk than ever before. For SMEs, it is now also a greater headache than they would have ever seen previously, and the migraine can be broken down into three kinds of threats to the business in the way that they handle customer data.

  1. Reputational damage – Should a data breach occur, the reputational damage that comes as a result can be a business ending event for a small business. Large corporations have access to capital resources that can allow them to weather the inevitable short to medium term drop in sales that comes from reputational. Smaller companies that lose customers for a quarter or two due to mistrust over insecure practices can find themselves out of options well before sales can and trust can start to pick up again.
  2. Regulation – The regulators are now stricter than previously, and the penalties are stiff. Any but the smallest of organisations can now be fined upwards of $1.7 million for failing to be compliant with Australia’s privacy laws, and that’s a big hit to take to the bottom line for a small or medium sized business.
  3. The potential for corporate espionage – SMEs that are not secure enough with customer data can be easily “snooped on” by a rival organisation. With customer data being the most valuable added most companies have, losing the data to a rival can seriously damage the businesses’ competitiveness.

Despite these three critical concerns, many small to medium businesses ignore data security, assuming that it would be too expensive to get a consultant in to run a full audit, let alone then investing in the technology solutions that the audit recommends to ensure compliance.

It’s a head-in-the-sand strategy that is a ticking time bomb for Australian small businesses, and what is tragic about it is that it’s also completely unnecessary. For a small business, an audit of the IT infrastructure to ensure data security and compliance is not actually expensive, and we are seeing more consultants specialise in delivering services specifically to these businesses and to match their budgets.

Equally, for most small businesses the audit will not recommend they purchase a data leak prevention (DLP) technology suite that will cost them thousands of dollars. Most small businesses can, through simple policies and changes in configuration, minimise their technology risks with customer data.

The most basic strategies to prevent data leaks, like setting policies on emails to quarantine specific kinds of email and catch outward leaks of data before they happen, is inexpensive to implement and can help immeasurably. Employees of small businesses will often email one another data lists unaware of how insecure that can be, and there’s also always the risk of a deliberate leak from a disgruntled employees. This needs to be prevented in order to maintain compliance, but it’s not expensive to do.

SMEs can also look at how the organisation uses CRM and cloud services. As useful as Salesforce, Dropbox and others are, any company – including SMEs – need to enact strict policies that ensure that only the people that need access to customer data have access, whether the data is hosted in the cloud or on a local network.

There are other common sense things that can be made use of as well – a company can enable two factor authentication for critical applications, and lock down Microsoft Exchange to that email accounts that don’t need to send external emails can’t. These are all inexpensive projects that can be implemented by the SME’s internal tech team, or their technology partner, and can save the business a lot of headaches in the future.

As published on Technology Spectator.

Top