Minimising data collection in your business

Why protect your data? 

Hackers seek data from a broad range of industries for financial gain. Failing to take adequate steps to protect that information just makes it easier for them to access – in fact, it’s the same as leaving a front door ajar.

Whether they sell it, ransom it, trade it amongst each other, use their stolen data to power identity theft crimes, or blackmail victims for financial gain, cybercriminals are ruthless – and very creative – about extracting every dollar they can from the information they’ve stolen. 

Small and medium businesses are particularly attractive, as they often hold high-value financial or private data on customers, while often having a lower level of cyber security knowledge than larger organisations with expert cyber defenders.

Think about all of the sensitive information that any business or organisation typically holds, such as names, addresses, bank and payment details, tax file numbers and licence numbers. Personal data like this, even if it seems innocuous, can be worth a lot in the wrong hands. 

When combined, small pieces of information fit together like a jigsaw that can be used to form a more complete view of a person. In the wrong hands this can be used to enable fraud, identity theft, scams and other types of crippling cyberattacks.

How to minimise data

One way to make yourself a smaller, less attractive target to data-digging cybercriminals is through data minimisation; that is taking a few simple steps to reduce the amount of information available to do damage if stolen.

Organisations should consider only collecting and retaining necessary data from staff, customers and suppliers, and to delete it when you no longer need it. Take the time to set rules around what you retain, how long you’ll retain it and when it should be deleted, as well as strict policies on who in the organisation has access to it.

This means you will end up holding less sensitive data that could be compromised in a breach, reducing potential harm to your business and customers.

Organisations should also understand the data they already hold, and where they hold it. Create a register of the personal data your business keeps to make it easier to work out what data is really necessary and classify it based on sensitivity and value.

More security controls

Smart phones and tablets used for work can be a weak point in the security chain, so consider setting policies around what devices can be used and how customer data is accessed from them.

Consider the security of the platform the data is residing in and the access controls you put in place. Limiting access to only those who need the data could reduce the harm of that data being taken during a cyber incident.

Also ensure those with access have strong passwords or passphrases, and that multi-factor authentication - requiring multiple identity checks – is implemented.

Where possible, look at what you can do to encrypt sensitive data to make sure that if hackers to break in to your system, they can’t use it.

Prevention is always better than cure – if you have data, you need to make sure it’s safe or disposed of securely.

The Australian Signals Directorate’s Australian Cyber Security Centre is constantly updating advice to keep pace. Data breaches against Australian businesses are increasing in scale and complexity, but taking action now can prevent cybercriminals from striking gold at your business. 

To stay updated on the latest cyber threats, join the ASD Cyber Security Partnership Program. 

If your business is impacted by cybercrime, report it online using ReportCyber or by calling the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).