Key findings of our research

Privacy awareness and concern is increasing amongst Australian SMBs in the wake of Optus and Medibank attacks, but action is low

1 in 4 local small businesses would fail to survive the financial or reputational damage of a privacy breach

1 in 4 do not understand what is expected of their business as part of recent Privacy Act changes

Awareness is increasing

In the wake of significant privacy breaches to major Australian organisations such as Medibank and Optus, Australian SMBs say data privacy has become a key priority.

  • 45.4%
    Almost half of respondents ranked
    data privacy as a top business priority
  • 30.0%
    One in three ranked it as important,
    but not their top priority
  • 79.6%
    Four in five acknowledged that those breaches have influenced their views on privacy concerns
  • 64.8%
    Of this, have taken action to improve
    their protections

Action is slow

  • One third of businesses surveyed have become more concerned in the wake of major breaches, but have still not taken action
  • Fewer than half have a well-defined, documented and applied customer privacy policy
  • A further one in five either don’t have a data privacy policy, or do, but have never updated or reviewed it
Vijay Sundaram - Chief Strategy Officer at Zoho.
- Vijay Sundaram,
Chief Strategy Officer at Zoho.

“Privacy breaches are increasing in regularity and severity. Unfortunately, while awareness is increasing, action isn’t. According to our research, 59.4% of SMBs understand that they’re as susceptible to breaches as big businesses. That could be exacerbated with so many SMBs unprepared for proposed regulatory changes or the impact of a breach in the first place.

“Small businesses can’t be expected to become privacy and security experts themselves, though. To turn awareness into action, policymakers and the technology industry must incentivise action, so that SMBs can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe, and privacy breaches more regular and damaging, SMBs will be unfairly and even catastrophically impacted.”

Catastrophic risk

As many as one in four SMBs say the impact of a privacy breach could be devastating for them, either financially or in terms of reputation.

Catastrophic risk

Financially, would your business survive a significant privacy breach?

Catastrophic risk

In terms of reputation, would your business survive a significant privacy breach?

Legislation and best practice

Small businesses have long been exempt from The Privacy Act 1988. However, under proposed reforms—which the government is currently consulting on and preparing for legislation—small businesses are expected to lose their exemption and face steep fines and penalties for infringements or failure to comply. Much of the legislation revolves around how data is collected, stored, and shared, and how breaches are responded to.

To what degree does the following statement apply to your business? “My business understands what is expected of it according to The Privacy Act 1988.”

Legislation and best practice
14.9 Strongly agree
25.4 Neutral
32.5 Agree
19.3 Strongly disagree
8 Disagree

Which of the following best describes your company’s approach to customer data privacy?

Our company has a well-defined, documented policy to protect customer data that is strictly applied
Our company does not have a documented
customer data privacy policy
Our company has a well-defined, documented policy to customer data privacy but not strictly applied
Our company has a documented customer
data policy, but I haven’t read it
Our company has a less formal customer data
privacy policy that has not been fully documented
I do not know if we have a have a
customer data privacy policy

When did you last update or review your business’ data privacy policies?

  • Within the last 3 months
  • Over 5 years ago
  • 3 - 6 months ago
  • Never
  • 6 - 12 months ago
  • I don’t have a data privacy policy
  • 1 - 5 years ago

Do you know what to do if your business falls victim to a privacy breach?

  • 46.2 I know exactly what to do
  • 40.3 I have some idea of what to do
  • 13.5 I have no idea what to do

About capioIT

capioIT was formed in 2010 by Phil Hassey to act as a trusted advisor to organisations looking to drive real business outcomes from investments in technology and business processes. Based in Sydney, Australia, capioIT works to “tilt the world view” to provide actionable outcomes for clients globally.

Stay connected with Zoho