One-quarter of Australia’s two-and-a-half million small and medium businesses (SMBs) would not survive the financial and reputational damage of a privacy breach, according to research by global technology platform, Zoho. While awareness is growing, too many businesses are unprepared and unequipped to deal with a privacy breach or cyber incident.

In the wake of significant privacy breaches to major Australian organisations such as Medibank, Optus and Telstra, Australian SMBs say data privacy has become a key priority. Almost half (45.4%) of respondents ranked data privacy as a top business priority, while one in three (30%) ranked it as important. Four in five (79.6%) acknowledged that those breaches have influenced their views on privacy concerns, and of this, 64.8% have taken action to improve their protections. 

While understanding and awareness is high, action is not. One third (35.2%) have become more concerned in the wake of major breaches but have still not taken action. Fewer than half (44.4%) have a well-defined, documented and applied customer privacy policy. A further one in five (18.4%) either don’t have a data privacy policy, or do, but have never updated or reviewed it. 

“Data privacy is one of the defining issues for the business community today. Unfortunately, while awareness and concern is increasing, action is not,” Zoho chief strategy officer, Vijay Sundaram said.

“According to our research, the majority (59.4%) of small and medium businesses understand that they’re just as susceptible to a breach as big businesses. However, that is still failing to translate into action; an issue that could become exacerbated with so many SMBs unprepared for proposed regulatory changes or the impact of a breach in the first place.

“Small businesses cannot be expected to become privacy and cyber security experts themselves, though. To turn awareness into action, the technology industry and policymakers must incentivise action, so small businesses can implement measures to protect themselves and their customers. Otherwise, with regulation becoming more stringent, penalties more severe and privacy breaches more regular and damaging, SMBs will be unfairly and disproportionately impacted. For them, a breach could be catastrophic.” 

Fewer than half (46.2%) of respondents claim to know exactly what to do if they fell victim to a privacy breach. Meanwhile, 40.3% had some idea of what to do, but 13.5% – equating to almost 350,000 businesses – claim to have ‘no idea’ what to do if they were the victim of a breach.

Much of the debate around data privacy centres on the use of ‘cookies’, which track and store user data on websites. Over half (57.5%) of respondents collect or use cookies on their business’ websites, apps, or software. Just 5.4% did not know if they collected data via cookies – considerably lower than 35% of businesses in 2021. 

In total, 56.7% of businesses fully understand the role of cookies, while a further 31.2% somewhat understand the characteristics. One in ten businesses (11.2%) said they did not understand but were taking steps to learn.