In September, Australian telco giant Optus announced that up to potentially 10 million of their customers had personal data stolen in a cyber-attack. This breach was well-publicised and impacted up to 40% of the population. While the actual damage from the compromised data has been limited, the questions it raises for the public, governments and the cybersecurity industry are immense. It certainly hasn’t been friendly to Optus as customers reconsider their services and are left wondering how their data was compromised – or why it was stored by Optus in the first place.
As a practical example, it’s an opportunity for small businesses to question the potentially sensitive information they provide other businesses, as well as the information they collect and store on behalf of their customers. Your small business’ security and data collection policies are just as important, if not more, than a major company such as Optus. One mistake and your smaller customer base may never return. Let’s look at critical lessons to learn from the Optus data breach for small businesses.
What data can you collect from your customers?
Considering this leak, it is appropriate to ask and examine what data you should (or can) collect from your customers. Legal requirements govern what information must be provided in specific industries, such as Know Your Customer (KYC) for reporting entities (financial, gambling, digital currency etc.) In the same way, there are rules under the Privacy Act 1988 that outline how such collected data may be used, stored and eventually destroyed.
If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act. Even if your turnover is less than this, you are still required to comply if you operate in sensitive areas, such as therapists, gyms, credit providers or other businesses that sell or purchase personal information. In general, it’s best practice to ensure the personal information of your customers is protected at all times, regardless of the legal requirements. Personal information is anything that can be used to identify your customers. For example, their names, signatures, addresses, medical record, bank details or even IP addresses are all personal information.
With consent, you can collect all this information, but you must protect it from unauthorised access, loss, interference and theft. When it’s no longer needed, it must be destroyed or de-identified. While personal information is handy for your business when it comes to marketing, analytics and communications, it’s also a risk that needs to be managed – your reputation depends upon it.
Ensure your business security is lockfast
Protecting your customer’s data starts with protecting your small business’s overall information security. Maximising your small business’ security is not too different to how an individual would manage their own data. As you should be doing regardless, monitor your bank accounts often, maintain access to your accounting systems and run reconciliations often. Missing money or unrecognised transactions are often signs that you have been compromised in some way. Make sure your official business documents, reporting requirements and digital subscriptions are updated at all times, reducing the risk of anything happening to your business details and registrations.
On behalf of your customers, have a privacy policy in place and proactively communicate requirements to your customers. If your business maintains online accounts, ensure your customer’s password integrity (don’t allow ‘easy’ passwords) and offer multi-factor authentication when available. Customers should have access to the personal data they’ve provided and request its deletion whenever they choose to. Customers would rather deal with a small business that takes their information seriously and shows proactive goodwill that they can trust, wouldn’t you agree?
Small business data tips
Collecting and protecting customer information is only as solid as its implementation. Breaches in security are often a result of two things: insufficient digital security and systems, as well as human mistakes. The first can be addressed by sufficiently investing in security services that protect all devices linked to your business. Staff should not be able to access sensitive company information from their personal devices without sufficient authentication.
The second requires training in knowledge and culture. Your staff must understand their obligation to your customers to protect their personal information. They must only share data with verified clients and never with an outside party. There are training resources available and all staff need to be on the same page. Keep in mind that the average cost of a data breach in Australia is $3.4 million – it’s worth investing in the right solution to prevent potentially catastrophic hacks, as Optus has recently been reminded.
Investing in security takes capital, but it almost certainly generates a lasting return. Capital Plus Finance is an experienced business finance broker that can help your business secure an appropriate financing solution. With a panel of many lenders, The Capital Plus Finance team leverages experience and unique market knowledge to match available products and providers with your business. Please call us anytime to find out more or to have an obligation-free chat about your personal and business situation.