Too Many Kiwi SMEs Still Playing Loose With Customer Data
Escalating cyberattacks require companies to get serious about protecting customers
Too many Kiwi SMEs still retain customer information for no good reason – despite the right to be forgotten – which creates unnecessary risk for the New Zealand public in a time of wave upon wave of cyberattacks hunting just such data.
Author of the book 'She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – and SMB cybersecurity expert Daniel Watson, said it is not unusual for him to encounter transactional businesses which do not need long term relationships with their customers holding on to customer data for years.
"If you get hacked, it's not because you're unlucky. It's just a matter of time. Therefore, there is no good reason for many companies to retain the depth of customer information that they do – even for marketing purposes – because most of the time, it just sits there; intimate details like names, employment records, bank details and drivers licenses.
"If you do not have an excellent reason to retain customer information, you need to dispose of it. For example, I don't see why immigration consultants would sit on the details of more than 4,000 past clients. It is creating unnecessary risk for many people who are oblivious to the threat they are facing."
He says the problem is exacerbated by poor cyber security measures from an unacceptably high proportion of New Zealand SMEs, few of whom realise they are sitting on a liability that could ruin their businesses and the lives of some customers.
"Reputation, financial and legal risks are just some of the threats that your average Kiwi SME is courting, bearing in mind that Privacy legislation now requires the company to report a breach to affected customers as well as the Privacy Commissioner. The penalties are not to be sneezed at – fines from $10,000 up to $350,000 for a class action."
Watson said SMEs, no matter how big or small should introduce policies around customer data and how that data is secured as a matter of urgency.
1. Introduce or update policies
Employees and how they use technology and social media are still the biggest weakness for a business.
"We see many outdated cyber policies that still talk about phone and fax and do not even mention how staff use social media. Others are too restrictive. For example, they have a blanket ban on social media, which is impractical. When something is impractical, it gets ignored."
Watson said cyber security policies and tools, like password management and how staff interact with technology, including how a company treats its customer information, are a good start.
2. Educate staff
Having a policy and employee agreement doesn't go far enough. Staff need to be educated, in-depth, about what is expected and why it is essential – and then they need to be reminded regularly to maintain awareness.
"Research shows younger people are more vulnerable to cyber threats because they live within the technology ecosystem. This immersion means they are more casual about technology and how they use it. Make your staff safe," he said.
3. Protect your data
Every company should have, as a minimum, both a policy and a process for handling customer data.
"Regulate who has access to the information, how it is stored and where it is stored. If you know your process, you have a better chance of making sure that the process is robust and protected."
He said keeping customer data safe requires a top-down approach starting with the directors. "The leadership sets the standard, and that includes by example."
For more information visit: https://www.linkedin.com/in/daniel-watson-smb-cybersecurity-expert-07424b12/