How to Conduct Your Own Security Audit for a Small Business

6 minute read
image

Presented by ADT

As a small business owner, it’s
important to give yourself routine security audits to make sure you and your
business aren’t exposed to unnecessary risk. But in order to see the problems,
you must be willing to evaluate your current security system.

Fight the urge to justify weak
points or find excuses for why your security system is acceptable. Instead, step back from the space, whether it be a home
office, building space or warehouse, and really look at the area as if you’ve
never seen it before.

Preliminary overview

If you’re doing a security audit of
your office, it’s a good idea to take note of the various features before
analyzing them for security purposes. Take yourself on a tour, as if you were
an outside auditor.

Write down your physical setup with
salient points in mind, so that later you can make effective security decisions
for your location. For instance, mark down:

  • The location of all doors and windows within your space.
  • Any outside storage facilities.
  • Any safes and their locations within your office.
  • If the office has wireless internet and the location of
    the server.
  • The general characteristics of the structure, such as:
    • How
      many stories it is.
    • How
      many rooms there are.
    • If
      there are other businesses around you.
    • If you
      share a wall with another business.

Next, you should make a list of all
the valuable tangible assets on the premises or which can be accessed from the premises. Examples of these might include:

  • All computer systems, including tablets, laptops, and
    servers.
  • The website for the company.
  • Product inventory.
  • Equipment.
  • The building and land.
  • Any confidential material (client information, financial
    data, etc.).
  • Software.

In addition, take note of any
intangibles, such as:

  • Intellectual property.
  • Specialized knowledge.
  • Copyrights, trademarks, patents, etc.

Then track the production and order lines of the
company, so you can spot potential weaknesses. For instance, if you or your
employees take orders from customers, make note of exactly what happens. Where
does that order information go? Since you might take orders over the internet,
phone, mail, or in person, the lines might be varied. Note them all.

The fulfillment process should also
be tracked and recorded, so that each element and procedure can be analyzed.
Similarly, all the storage devices for files—online and hardcopies—should be
assessed for security.

It’s also worth considering whether
your online presence might be an asset. If you don’t have very strong passwords
for your social media, email and other internet marketing tools, malicious people
could impersonate you and post horrible things causing untold damage to your
reputation before you had a chance to cut them off.

Prioritizing protection

Once you have a master list of all
the possible assets which might be vulnerable, it’s important to prioritize
them, taking into account the likelihood of a problem, as well as the impact
you could potentially experience should a problem occur.

For instance, say you own a small
jewelry store in the center of a large city and you want to calculate the probabilities
of certain events. Based on prior records, the chance of arson might be low,
but the probably of theft could be high. In that case, it would be wise to
focus on protecting against burglaries.

Likewise, when you analyze the
impact of events, consider what would happen if a hacker had access to
sensitive and confidential information on your computers. The effect on your
company’s reputation could be obliterated with a few malicious key strokes.
However, if someone stole your furniture, while it would be annoying, you could
easily and quickly replace the property. So, in this case, when deciding where
to put your security resources, the priority would be on protecting your
computers.

Also, cost is often a strong
deciding factor. If a security system is cheap and easy to install, why not
just take the precaution? And although hiring a full time bodyguard might solve
many problems, it probably isn’t in the budget. Use common sense to evaluate
your needs.

Risk analysis

Now that you know what you need to
protect, it’s a good idea to consider all the possible threats that exist which
could damage those assets. Although there might be a few threats that are
unique to your industry, a number of them are common for most small businesses.
Here are a few to consider:

  • PC viruses and malware.
  • Theft of equipment or physical property.
  • Theft of customer information or sensitive computer
    files.
  • Computer hardware failure.
  • Fire or other disaster.
  • Electrical surge.

Security solutions

Once you have your master list of
potential problems, prioritized for importance, you can begin to construct
security solutions. The first step would be to analyze your current security
measures to see if they are (1) working, (2) effective, and (3) sufficient.
Sometimes it’s easier to upgrade an existing system and at other times it’s
better just to replace it.

For physical property, install an
alarm system with motion sensors. They can be reasonably priced and are usually
easy to install. And for only a couple hundred dollars per year you can hire a
monitoring company to notify you and the police should the alarm system be tripped.
Of course, you will need to regularly test the alarm to be sure it’s in good
working order.

All safes should be well out of
view from any public spaces. Put them in a closet, under the floor, or behind a
counter and do what you can to make them difficult to remove. Bolt them to the
floor or use a strong industrial strength glue. A thief is less likely to hang
around on your property, trying to crack into your safe. They’d much rather
take the whole safe with them and crack into it at their leisure.

To prevent fire damage and loss of
life, make sure each room has a smoke detector and place fire extinguishers
throughout the area, making sure they are well marked. Create a fire escape plan
with the others in the building (or home) and do drills so there is no
confusion about what to do should a fire happen.

If you work from your home, it’s
best to create a dedicated space for your office and install a deadbolt lock on
the access door. That way outsiders who may enter your home, such as housekeepers,
babysitters, plumbers, etc., won’t have easy access to that room and can’t case
the area. Be sure all your windows have working locks as well.

If you work in an office building,
make sure the main entrance and all exits are well-lit. And if possible, add a
video surveillance system. This will make it harder for a thief to enter
undetected. Also, all exits should remain unblocked, so you can evacuate
quickly if there is an emergency.

Protect your computers against
viruses and malware. There is free software available for you to download,
which can go a long way to protect your computers, as they update regularly.

Besides warding off viruses, you
must also protect against outright theft or destruction of the physical
devices. Both could be catastrophic to a company if precautions aren’t in
place.

Backups are an imperative part of
any good security plan, so that all your important computer files remain
accessible. I recommend you use two systems: a physical one (like an external
hard drive) and one that is cloud-based.

Also, all electronic systems should
be secured with a strong password, so if the computer is stolen, its data can’t
be easily accessed. Of course, if you have wireless internet, you need to create
a new password for your router as well as the wireless network. Never use any
default password.

Then these passwords should be
changed every thirty days and strengthened by using numbers, letters (both
upper and lower case), and symbols. Be sure to make the passwords at least eight
characters long. The longer it is, the harder it is to crack.

Make sure each employee has his or
her own security codes for the alarms and computer systems, so you can promptly
deactivate them should an employee quit or get terminated.

Small businesses that don’t have a
dedicated IT staff might consider avoiding a wireless set up altogether. This
solution makes it impossible for a disgruntled ex-employee to roll up into the
parking lot in the middle of the night to access your computer system.

Likewise, if a valuable employee or
owner suddenly became unavailable, it could be devastating to a small business
if their knowledge leaves with them. Plan ahead and make sure all key players
share what they know with the other executives.

Once you’ve completed your security
audit and have implemented all the solutions, make a note of all that was done.
Revisit your setup any time a major change is implemented. Having an effective
security plan in place will give you peace of mind, so that you can focus on
expanding your business.