We recently completed two projects: one involved the investigation of a theft and potential data breach at a major firm, and in the other we were asked to conduct an in-depth security review for a major corporation that recently had an intruder breach their premises. What we found is all too common in many businesses today. Business security is not a priority until after an incident occurs.
You can’t open the newspaper or listen to the news without reading or hearing about a data breach, embezzlement, financial fraud, or workplace violence incident. There are many reasons why basic security processes and procedures are not put in place. The reasons range from cost concerns to naiveté. The truth is, once an incident occurs, the monetary and non-tangible (business good-will) cost to a business can be devastating.
There are recognized industry standards for security for both small and large businesses. Implementing those standards can help protect the business from a security breach, legal liability, and financial loss.
Financial Safeguards
In the 2014 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse, it was reported that the median cost of a single fraud incident to small businesses was $154,000.00. Five simple steps businesses can, and should, take to help mitigate financial fraud are:
- Conduct background checks on all employees.
- Implement a written code of ethics.
- Divide bookkeeping and check signing authority.
- Deliver bank statements – unopened – to top management.
- Implement a fraud reporting mechanism or hotline (over 40% of all small business fraud is discovered through tips).
Physical Security
American National Standards Institute (ANSI) and ASIS International are recognized as the standard bearers of physical security. Both organizations conduct extensive research on physical security and publish standards that are recognized the world over. Each business should conduct a security risk assessment along with a cost benefit analysis. The size of your business will dictate how in-depth that assessment should be. Areas to consider in assessing the physical security of your business include:
- Security policies and procedures
- Security lighting
- Barrier systems
- Intrusion detection systems
- Physical entry and access control
- Video systems / Video surveillance
- Alarms
- Personnel
Workplace Violence
The Occupational Safety and Health Administration (OSHA) estimates that about 2 million U.S. workers are victims of workplace violence each year and about 10 percent of workplace fatalities are homicides. The monetary costs of workplace violence have been estimated by the National Institute for Occupational Safety and Health to exceed $120 billion per year, and the human costs are immeasurable.
Workplace violence incidents can come from a customer, an employee, domestic disputes that spill over into the workplace, and criminal acts.
Employers should take some basic steps to address workplace violence by adopting policies and procedures that demonstrate to their employees the importance of a safe workplace. Those steps should include:
- A written zero-tolerance policy for incidents of violence or threatening behavior in the workplace.
- Substantial disciplinary action, up to and including termination, for harassing or threatening behavior.
- An easy system for employees to report suspicious or threatening circumstances.
- A documented and detailed action plan outlining how the business will respond to those reports.
- A system for documenting those reports and the action taken by the business to address the report.
- A written and detailed emergency action plan in the event of a violent incident.
Cyber Security
- The 2014 Data Breach Investigations Report, compiled by over fifty organizations from around the world reported over 63,000 cyber security incidents and over 1,300 confirmed data security breaches across twenty-seven countries in 2013. Most of the breaches fit some basic patterns:
- Web App attacks (35%)
- Cyber Espionage (22%)
- Point of Sale intrusions (14%)
- Credit Card Skimmers (9%)
- Insider Misuse (8%)
- Crimeware (other malware incidents) (4%)
- Miscellaneous errors (2%)
While all industry segments were touched by cyber-attacks, the primary businesses affected by these breaches were retailers and the service industry. Some steps businesses can take to deter data breaches include:
- Restrict remote access
- Enforce password policies
- Do not browse social media, public websites, or personal e-mails on POS systems.
- Know your data and who has access to it.
- Review user accounts.
- Encrypt devices (laptops, hard drives, thumb drives – anything with data that could get lost or stolen).
- Move highly sensitive or valuable assets to a secure location.
- Properly dispose of information assets, and verify that they have been sanitized prior to disposal.
- Use two-factor authentication.
- Have a plan in place should a cyber-attack or data breach occur.
Summary
All businesses should be conducting security risk assessments. A security risk assessment will highlight areas that are vulnerable and help gauge the likelihood or impact. These should be done on a regular basis. A good risk assessment program will combine inside expertise and oversight with outside experience and insight. Using a third party to work with the company on a risk assessment will bring in a high level of security expertise not normally found in-house, as well as an unbiased and pragmatic view of policies and procedures in place. Once the risk assessment is conducted, the business should be prepared to make changes and to monitor the results.
The time to conduct a security risk assessment is now, not after an incident occurs.
Dennis Simpson
Dennis.Simpson@SimpsonAdvisoryGroup.com
Simpson Security and Investigative Advisory Group, LLC