SMEs still playing loose with customer data

Escalating cyberattacks in New Zealand mean businesses need to get serious about protecting customers, says SMB cybersecurity expert Daniel Watson.

Too many Kiwi SMEs still retain customer information for no good reason – despite the right to be forgotten – which creates unnecessary risk for the New Zealand public in a time of wave upon wave of cyberattacks hunting just such data.

Author of the book She’ll Be Right (Not!): a cybersecurity guide for Kiwi business owners and SMB cybersecurity expert, Daniel Watson, says it is not unusual for him to encounter transactional businesses which do not need long term relationships with their customers holding on to customer data for years.

“If you get hacked, it’s not because you’re unlucky. It’s just a matter of time. Therefore, there is no good reason for many companies to retain the depth of customer information that they do, even for marketing purposes, because most of the time it just sits there; intimate details like names, employment records, bank details and driver licenses.

“If you do not have an excellent reason to retain customer information, you need to dispose of it. For example, I don’t see why immigration consultants would sit on the details of more than 4,000 past clients. It is creating unnecessary risk for many people who are oblivious to the threat they are facing.”

Watson says the problem is exacerbated by poor cybersecurity measures from an unacceptably high proportion of New Zealand SMEs, few of whom realise they are sitting on a liability that could ruin their businesses and the lives of some customers.

“Reputation, financial and legal risks are just some of the threats that your average Kiwi SME is courting, bearing in mind that privacy legislation now requires the company to report a breach to affected customers as well as the Privacy Commissioner. The penalties are not to be sneezed at – fines from $10,000 up to $350,000 for a class action.”

Watson says SMEs, no matter how big or small, should introduce policies around customer data and how that data is secured as a matter of urgency. He offers the following advice:

1. Introduce or update policies

Employees and how they use technology and social media are still the biggest weakness for a business. “We see many outdated cyber policies that still talk about phone and fax and do not even mention how staff use social media. Others are too restrictive. For example, they have a blanket ban on social media, which is impractical. When something is impractical, it gets ignored.”

Watson says cyber security policies and tools, like password management and how staff interact with technology, including how a company treats its customer information, are a good start.

2. Educate staff

Having a policy and employee agreement doesn’t go far enough. Staff need to be educated, in-depth, about what is expected and why it is essential – and then they need to be reminded regularly to maintain awareness. “Research shows younger people are more vulnerable to cyber threats because they live within the technology ecosystem. This immersion means they are more casual about technology and how they use it. Make your staff safe.”

3. Protect your data

Every company should have, as a minimum, both a policy and a process for handling customer data. “Regulate who has access to the information, how it is stored and where it is stored. If you know your process, you have a better chance of making sure that the process is robust and protected.”

Watson says keeping customer data safe requires a top-down approach starting with the directors. “The leadership sets the standard, and that includes by example.”

For more information visit: https://www.linkedin.com/in/daniel-watson-smb-cybersecurity-expert-07424b12/