Is Your Business Secure?

We recently completed two projects: one involved the investigation of a theft and potential data breach at a major firm, and in the other we were asked to conduct an in-depth security review for a major corporation that recently had an intruder breach their premises.  What we found is all too common in many businesses today.   Business security is not a priority until after an incident occurs.

You can’t open the newspaper or listen to the news without reading or hearing about a data breach, embezzlement, financial fraud, or workplace violence incident.   There are many reasons why basic security processes and procedures are not put in place.  The reasons range from cost concerns to naiveté. The truth is, once an incident occurs, the monetary and non-tangible (business good-will) cost to a business can be devastating.

There are recognized industry standards for security for both small and large businesses.  Implementing those standards can help protect the business from a security breach, legal liability, and financial loss.

Financial Safeguards

In the 2014 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse, it was reported that the median cost of a single fraud incident to small businesses was $154,000.00.  Five simple steps businesses can, and should, take to help mitigate financial fraud are:

  1. Conduct background checks on all employees.
  2. Implement a written code of ethics.
  3. Divide bookkeeping and check signing authority.
  4. Deliver bank statements – unopened – to top management.
  5. Implement a fraud reporting mechanism or hotline (over 40% of all small business fraud is discovered through tips).

Physical Security

American National Standards Institute (ANSI) and ASIS International are recognized as the standard bearers of physical security. Both organizations conduct extensive research on physical security and publish standards that are recognized the world over. Each business should conduct a security risk assessment along with a cost benefit analysis. The size of your business will dictate how in-depth that assessment should be.   Areas to consider in assessing the physical security of your business include:

  1. Security policies and procedures
  2. Security lighting
  3. Barrier systems
  4. Intrusion detection systems
  5. Physical entry and access control
  6. Video systems / Video surveillance
  7. Alarms
  8. Personnel

Workplace Violence

The Occupational Safety and Health Administration (OSHA) estimates that about 2 million U.S. workers are victims of workplace violence each year and about 10 percent of workplace fatalities are homicides. The monetary costs of workplace violence have been estimated by the National Institute for Occupational Safety and Health to exceed $120 billion per year, and the human costs are immeasurable.

Workplace violence incidents can come from a customer, an employee, domestic disputes that spill over into the workplace, and criminal acts.

Employers should take some basic steps to address workplace violence by adopting policies and procedures that demonstrate to their employees the importance of a safe workplace.  Those steps should include:

    1. A written zero-tolerance policy for incidents of violence or threatening behavior in the workplace.
    2. Substantial disciplinary action, up to and including termination, for harassing or threatening behavior.
    3. An easy system for employees to report suspicious or threatening circumstances.
    4. A documented and detailed action plan outlining how the business will respond to those reports.
    5. A system for documenting those reports and the action taken by the business to address the report.
    6. A written and detailed emergency action plan in the event of a violent incident.

Cyber Security

    The 2014 Data Breach Investigations Report, compiled by over fifty organizations from around the world reported over 63,000 cyber security incidents and over 1,300 confirmed data security breaches across twenty-seven countries in 2013. Most of the breaches fit some basic patterns:
  1. Web App attacks (35%)
  2. Cyber Espionage (22%)
  3. Point of Sale intrusions (14%)
  4. Credit Card Skimmers (9%)
  5. Insider Misuse (8%)
  6. Crimeware (other malware incidents) (4%)
  7. Miscellaneous errors (2%)

While all industry segments were touched by cyber-attacks, the primary businesses affected by these breaches were retailers and the service industry. Some steps businesses can take to deter data breaches include:

  1. Restrict remote access
  2. Enforce password policies
  3. Do not browse social media, public websites, or personal e-mails on POS systems.
  4. Know your data and who has access to it.
  5. Review user accounts.
  6. Encrypt devices (laptops, hard drives, thumb drives – anything with data that could get lost or stolen).
  7. Move highly sensitive or valuable assets to a secure location.
  8. Properly dispose of information assets, and verify that they have been sanitized prior to disposal.
  9. Use two-factor authentication.
  10. Have a plan in place should a cyber-attack or data breach occur.

Summary

All businesses should be conducting security risk assessments. A security risk assessment will highlight areas that are vulnerable and help gauge the likelihood or impact. These should be done on a regular basis. A good risk assessment program will combine inside expertise and oversight with outside experience and insight. Using a third party to work with the company on a risk assessment will bring in a high level of security expertise not normally found in-house, as well as an unbiased and pragmatic view of policies and procedures in place. Once the risk assessment is conducted, the business should be prepared to make changes and to monitor the results.

The time to conduct a security risk assessment is now, not after an incident occurs.

Dennis Simpson

www.SimpsonAdvisoryGroup.com

Dennis.Simpson@SimpsonAdvisoryGroup.com

Simpson Security and Investigative Advisory Group, LLC

IT Security

Field Guide: Types of People Behind Today’s Corporate Security Threats

ZDNet (12/02/13) Detwiler, Bill 

ZDNet has created a field guide to help corporations identify and defend against security threats. The field guide notes that employees are often a company’s greatest security threat. These threats can come about through deliberate actions by employees or through a mistake made by a well-meaning individual. To avoid having employees become threats, it is important that companies have good governance, set and enforce policies, offer education for employees, and take steps to know their employees. Though not typically behind attacks, CEOs and small business owners face the same attack vectors as other employees, such as phishing, social engineering, and infected USB drives. But higher-level employees can pose greater security risks because they are bigger targets, have greater access to corporate networks, and are often exempt from normal security policies. Though the same security techniques used for other employees can help protect CEOs, IT needs to be aware of the political implications of dealing with high-level employees and how to maintain security in instances where they cannot say no to a demand from management. Organized criminals are also a threat, as their attacks have become more sophisticated, and often involve skilled programmers and rented networks for launching distributed denial-of-service (DDoS) attacks and spamming campaigns. Companies can take steps to protect themselves from organized criminals by securing devices and networks, educating employees about IT security, and by establishing and enforcing strong security policies.