How to Conduct Your Own Security Audit for a Small Business

By | Small Business


Presented by ADT

As a small business owner, it’s important to give yourself routine security audits to make sure you and your business aren’t exposed to unnecessary risk. But in order to see the problems, you must be willing to evaluate your current security system.

Fight the urge to justify weak points or find excuses for why your security system is acceptable. Instead, step back from the space, whether it be a home office, building space or warehouse, and really look at the area as if you’ve never seen it before.

Preliminary overview

If you’re doing a security audit of your office, it’s a good idea to take note of the various features before analyzing them for security purposes. Take yourself on a tour, as if you were an outside auditor.

Write down your physical setup with salient points in mind, so that later you can make effective security decisions for your location. For instance, mark down:

  • The location of all doors and windows within your space.
  • Any outside storage facilities.
  • Any safes and their locations within your office.
  • If the office has wireless internet and the location of the server.
  • The general characteristics of the structure, such as:
    • How many stories it is.
    • How many rooms there are.
    • If there are other businesses around you.
    • If you share a wall with another business.

Next, you should make a list of all the valuable tangible assets on the premises or which can be accessed from the premises. Examples of these might include:

  • All computer systems, including tablets, laptops, and servers.
  • The website for the company.
  • Product inventory.
  • Equipment.
  • The building and land.
  • Any confidential material (client information, financial data, etc.).
  • Software.

In addition, take note of any intangibles, such as:

  • Intellectual property.
  • Specialized knowledge.
  • Copyrights, trademarks, patents, etc.

Then track the production and order lines of the company, so you can spot potential weaknesses. For instance, if you or your employees take orders from customers, make note of exactly what happens. Where does that order information go? Since you might take orders over the internet, phone, mail, or in person, the lines might be varied. Note them all.

The fulfillment process should also be tracked and recorded, so that each element and procedure can be analyzed. Similarly, all the storage devices for files—online and hardcopies—should be assessed for security.

It’s also worth considering whether your online presence might be an asset. If you don’t have very strong passwords for your social media, email and other internet marketing tools, malicious people could impersonate you and post horrible things causing untold damage to your reputation before you had a chance to cut them off.

Prioritizing protection

Once you have a master list of all the possible assets which might be vulnerable, it’s important to prioritize them, taking into account the likelihood of a problem, as well as the impact you could potentially experience should a problem occur.

For instance, say you own a small jewelry store in the center of a large city and you want to calculate the probabilities of certain events. Based on prior records, the chance of arson might be low, but the probably of theft could be high. In that case, it would be wise to focus on protecting against burglaries.

Likewise, when you analyze the impact of events, consider what would happen if a hacker had access to sensitive and confidential information on your computers. The effect on your company’s reputation could be obliterated with a few malicious key strokes. However, if someone stole your furniture, while it would be annoying, you could easily and quickly replace the property. So, in this case, when deciding where to put your security resources, the priority would be on protecting your computers.

Also, cost is often a strong deciding factor. If a security system is cheap and easy to install, why not just take the precaution? And although hiring a full time bodyguard might solve many problems, it probably isn’t in the budget. Use common sense to evaluate your needs.

Risk analysis

Now that you know what you need to protect, it’s a good idea to consider all the possible threats that exist which could damage those assets. Although there might be a few threats that are unique to your industry, a number of them are common for most small businesses. Here are a few to consider:

  • PC viruses and malware.
  • Theft of equipment or physical property.
  • Theft of customer information or sensitive computer files.
  • Computer hardware failure.
  • Fire or other disaster.
  • Electrical surge.

Security solutions

Once you have your master list of potential problems, prioritized for importance, you can begin to construct security solutions. The first step would be to analyze your current security measures to see if they are (1) working, (2) effective, and (3) sufficient. Sometimes it’s easier to upgrade an existing system and at other times it’s better just to replace it.

For physical property, install an alarm system with motion sensors. They can be reasonably priced and are usually easy to install. And for only a couple hundred dollars per year you can hire a monitoring company to notify you and the police should the alarm system be tripped. Of course, you will need to regularly test the alarm to be sure it’s in good working order.

All safes should be well out of view from any public spaces. Put them in a closet, under the floor, or behind a counter and do what you can to make them difficult to remove. Bolt them to the floor or use a strong industrial strength glue. A thief is less likely to hang around on your property, trying to crack into your safe. They’d much rather take the whole safe with them and crack into it at their leisure.

To prevent fire damage and loss of life, make sure each room has a smoke detector and place fire extinguishers throughout the area, making sure they are well marked. Create a fire escape plan with the others in the building (or home) and do drills so there is no confusion about what to do should a fire happen.

If you work from your home, it’s best to create a dedicated space for your office and install a deadbolt lock on the access door. That way outsiders who may enter your home, such as housekeepers, babysitters, plumbers, etc., won’t have easy access to that room and can’t case the area. Be sure all your windows have working locks as well.

If you work in an office building, make sure the main entrance and all exits are well-lit. And if possible, add a video surveillance system. This will make it harder for a thief to enter undetected. Also, all exits should remain unblocked, so you can evacuate quickly if there is an emergency.

Protect your computers against viruses and malware. There is free software available for you to download, which can go a long way to protect your computers, as they update regularly.

Besides warding off viruses, you must also protect against outright theft or destruction of the physical devices. Both could be catastrophic to a company if precautions aren’t in place.

Backups are an imperative part of any good security plan, so that all your important computer files remain accessible. I recommend you use two systems: a physical one (like an external hard drive) and one that is cloud-based.

Also, all electronic systems should be secured with a strong password, so if the computer is stolen, its data can’t be easily accessed. Of course, if you have wireless internet, you need to create a new password for your router as well as the wireless network. Never use any default password.

Then these passwords should be changed every thirty days and strengthened by using numbers, letters (both upper and lower case), and symbols. Be sure to make the passwords at least eight characters long. The longer it is, the harder it is to crack.

Make sure each employee has his or her own security codes for the alarms and computer systems, so you can promptly deactivate them should an employee quit or get terminated.

Small businesses that don’t have a dedicated IT staff might consider avoiding a wireless set up altogether. This solution makes it impossible for a disgruntled ex-employee to roll up into the parking lot in the middle of the night to access your computer system.

Likewise, if a valuable employee or owner suddenly became unavailable, it could be devastating to a small business if their knowledge leaves with them. Plan ahead and make sure all key players share what they know with the other executives.

Once you’ve completed your security audit and have implemented all the solutions, make a note of all that was done. Revisit your setup any time a major change is implemented. Having an effective security plan in place will give you peace of mind, so that you can focus on expanding your business.

Subscribe to our mailing list
* indicates required
Small Business Services