In the age of “big data”, organisations have the opportunity to harness the power of information, but also the obligation to protect what data they have in the face of constant threats. This is true for businesses of all sizes since even the smallest business cannot operate without generating data on its employees, suppliers and customers.
With the introduction of the Notifiable Data Breach scheme in February 2018, organisations regulated by the Privacy Act are responsible for ensuring their systems are secure – these organisations include any Government agencies, businesses and not-for-profit organisations with annual turnover of $3 million or more.
However, some small businesses with an annual turnover of less than $3 million are also regulated by the Privacy Act for the personal information they handle.
In the event an organisation is compromised with an “eligible data breach”, they’ll have no choice but to disclose it or face hefty fines up to AUD $360,000 (for individuals) and up to AUD $2.1 Million (for organisations). A serious data breach may also lead to the loss of trust and damaged reputation with customers and suppliers, which would cripple most small businesses.
According to the Notifiable Data Breaches Scheme 12-month Insights Report, the Office of the Australian Information Commissioner (OAIC) received 964 data breach notifications from 1 April 2018 to 31 March 20192. This was a 712 per cent increase in notifications since the introduction of the NDB scheme.
Overall, malicious or criminal attacks accounted for 60 per cent of the total data breaches in the last quarter of 2018, while human error accounted for 35 per cent. System faults accounted for just 5 per cent.
Contact information, financial details and identity information were the top three types of data that were breached:
The leading ways cyber criminals attack businesses is via phishing emails, stealing or compromising access credentials and brute force attacks:
Human error is also a key cause of data breaches:
What this report shows is that systems used by small businesses must be able to sustain their integrity in the face of cyber-attacks, as well as be immune to human error, to protect their valuable data.
Today, many small business employers utilise a portal process to send SuperStream data to superannuation funds. Data is downloaded from a secure payroll system and onto a desktop and then uploaded to a secure portal for transmission to superannuation funds.
And herein lies the risk: with data being downloaded onto a desktop or shared drive, it is potentially exposed to malicious or criminal attacks, or human error – the leading causes of data breaches in Australia.
Building encryption into online platforms and software has been a critical approach for elevating privacy and protecting sensitive data without depending on the weakest link—people—to protect the data.
To help protect employees’ personal and financial data, small businesses should seek payroll solutions that utilise secure best practice transfers via secure Application Program Interface (API) to prevent personal and private data from being exported outside of a secure payroll system.
Robin Beauchamp, Chief Technical Officer, InPayTech