Four practices SMEs can employ to protect consumer data
A business with strong digital trust and a reputation for robust security and privacy practices experiences fewer breaches and attracts more customers.
Trust has become the bedrock of all transactions and relationships, especially as people increasingly rely on digital devices and services to conduct business. For small and medium enterprises (SMEs), digital trust is a business imperative but the recent data breaches at Optus and Medibank Private have shaken the business world and damaged consumer confidence. Many smaller organisations are asking “If a large enterprise cannot protect consumer data, with their extensive resources and expertise, what chance do I have?” The good news is there are a number of things small and medium businesses can do to strengthen digital trust and it is essential that they do.
Poor privacy and cybersecurity protections not only fall short of the moral obligation to protect customers from potential identity theft, fraud or phishing attacks, but falling consumer confidence increases business risk, leading to lost revenue and reputational damage. According to a recent ISACA survey, one in four consumers severed ties with Australian companies that experienced a breach in the security of their customers’ Personalised Identifiable Information (PII.)
On the flip side, a business with strong digital trust and a reputation for robust security and privacy practices experiences fewer breaches and attracts more customers. So, what should SMEs do to protect their customers and business?
Invest in the best technology and platforms
Any expenditure in security and privacy is framed in the same context as any other capital expenditure — cost reduction, increased profit margins and business growth.
In our increasingly interconnected, digital world business cannot avoid or afford the risks. Having the best platforms that a business can reasonably afford ensures that the appropriate monitoring and alerting processes are in place to investigate anomalous network traffic and behaviour in a timely manner.
The benefits outweigh the costs and those that invest prudently create the environment to better serve customers safely and conduct profitable business more efficiently.
Engage reputable, qualified professionals
For some organisations, procuring the services of a managed security services provider is the most cost-effective and efficient way to protect the business. Arrangements tailored to the business can include on-call cyber experts, hourly rates or retainers.
Whether you are hiring cybersecurity staff or an external provider, look for experts with proven experience in your sector, globally recognised credentials, such as CISM, CGEIT, CRISC, and CISA, relevant references and a national police check. Professional bodies, associations and peers are a good starting point to identify a short list of providers.
Collect only the customer data you need
All too often consumers are asked to provide a suite of identity information that is simply not required for the delivery of the service or product. Businesses need to be clear on what information is required, how it will be used, who can access it and how it will be kept secure. If you don’t need it don’t ask for it. Credit card information is particularly sensitive and should never be collected. Use of a payment gateway, such as PayPal, or an online terminal device, like Square, provides a safer and more secure method for both the business and the consumer.
Apply best practice privacy and data storage
According to the Office of the Australian Information Commissioner’s (OAIC) most recent Notifiable Data Breach Report (July-December 2021), human error accounted for 41% of data breaches, compared to 55% as a result of malicious or criminal attacks. Putting in place basic cyber hygiene, including a clear privacy policy, encryption and regular education, ensures staff and third parties are aware of their rights, roles and responsibilities, in relation to security. It means they can keep the data they handle, create, store and transmit secure. For example, email is not a secure filing system and sensitive information should never be shared over email. Experts can advise business on how to safely keep data held on cloud-based services.
In summary, putting in place the right resources: physical tools and platforms, staff education and financial investment, will make it easier to monitor, audit and remediate any vulnerabilities and keep customers data safe. And keeping your customers’ data safe is good for business.
