In recent years, a spate of high-profile data breaches has made consumers more wary of handing out their personal information online. And being extra cautious is only sensible, since in the 2021-22 financial year alone, the Australian Cyber Security Centre received over 76,000 cybercrime reports—the equivalent of one report every seven minutes.
To gain the trust of customers—and avoid stiff new government penalties—it’s increasingly vital for SMEs to have some sort of security compliance framework in place. This is one of the best ways to demonstrate that you’re serious about protecting the data you request and store.
To find out more about what SMEs can and should be doing to safeguard their businesses, SmartCompany recently hosted a webinar on security and compliance. Weighing into the discussion were Matt Cooper, senior manager of privacy risk and compliance at Vanta, Laura Bell Main, founder and CEO of SafeStack, and Peter Simpson Young, compliance coordinator at Coviu, Australia’s leading telehealth platform.
What does compliance look like?
For Cooper, compliance can be broken down into three main areas:
- Complying with relevant cybersecurity laws.
- Complying with customer contracts and any specific requirements they may have, such as how quickly you need to report a breach.
- Complying with any voluntary frameworks your business pursues. (For example, ISO 27001.)
One major benefit of establishing your own framework, Bell Main says, is that it facilitates important conversations with customers.
“It gives us a shared language to explain what we’ve done and what that means in the broader context of how that can benefit us when it comes to stopping bad things from happening, spotting them, or responding to them,” she explains.
Watch our webinar, Security and compliance: Is your business at risk? here.
Practical steps to minimise risk
You’ll never be able to eliminate the threat of cyberattacks altogether, but the panel did have a few simple suggestions for how to reduce your vulnerability:
- Do a risk assessment or audit. Bearing in mind that, as far as Cooper’s concerned, the senior managers and board are responsible for identifying the risk appetite of an organisation, and what risks it is and isn’t willing to take.
- Reduce the amount of data you’re storing. “Don’t collect stuff that’s going to put people at risk unless you have a very concrete business justification for collecting and processing it,” Cooper says. “And then, when you don’t need it, get rid of it.”
- Comply with the standards that are designed to prevent breaches. “Whether that’s explicitly going out and getting audited and getting a certification, or whether that’s just trying to design a really basic gap assessment based on the standard,” Simpson Young explains. “Standards themselves, at least these ones, are not too expensive—so you can just read through the standard, work out ‘What are the low-hanging fruit to protect my data?’, and then implement them. They’re literally designed for that purpose.”
- Beware of phishing attacks. “Every company should really have good and robust controls around phishing,” Cooper says. “And there’s layers and layers of things you can do, from email security [to] multifactor authentication and training.”
If a breach does happen, it doesn’t necessarily mean your business is at fault, since threat actors can be extremely sophisticated these days. Being able to show that you were following a robust security compliance framework can help reduce your liability and restore customer goodwill, as it shows you were taking reasonable steps to avoid the breach.
Managing risk when you outsource
The panel had the following best-practice advice for any business that uses external contractors. This segment was intended for businesses outsourcing internationally, but applies in all cases:
- Do a vendor assessment. It’s every company’s obligation to properly assess the specific vendor they’ll be using, and to make sure they meet their requirements.
- And have a Plan B. “I’ve seen lots of people do vendor assessment and do a great job of it, but not all of them are prepared to walk away if that assessment fails,” Bell Main says. “If that assessment doesn’t turn out the way you want … you might have to find an alternate vendor or an alternate supplier.”
- Don’t be too trusting. Only share what you need to and for as much time as you need to.
- Check all devices being used. And make sure they’re secured to your standards.