Shredded paper

By Keith Tully

As criminals become ever more sophisticated, security of your business premises is now about so much more than just making sure you lock the door when you leave. This article looks at sensible precautions companies of all sizes can take.

Physical Security

As well as locks on the front door, locks can also be fitted to: individual rooms, windows, cupboards, desk drawers and filing cabinets. Obviously areas where valuable items or confidential information is stored should be a priority when considering where to fit locks.

At the main entrance, a keypad entry system is more secure than a conventional lock. However, make sure you don’t use a really common entry code, such as the same number repeated four times, or 1234, 4321 or 1066.

Roller shutter doors are more secure for the front entrance than a normal door lock.

A modern, sophisticated burglar alarm system is an essential part of any company premises.

If the company has the resources to employ security guards out of hours, or to purchase CCTV, then this obviously provides a great deal of comfort.

If your company rents its premises, you may not be in a position to decide what security measures are put in place. But the standard of the security arrangements should be a key consideration when you are considering moving to new premises.

Computer Security

Information technology security breaches can be very costly, and not just in monetary terms. The implications of significant data loss and damage to the company’s reputation can also be significant.

Measures your company can take in this area include:

  • Install a firewall and virus checking software on your computers. Your IT consultant can advise what precautions need to be taken
  • Consider upgrading your operating system
  • Protect your computer by downloading the latest patches or security updates
  • Only allow staff access to the information they need to do their job
  • Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information
  • Don’t dispose of old computers until all the personal information on them has been securely removed (by using technology or destroying the hard disk)
  • Consider installing anti-spyware. This protects against software that can be secretly installed on your computers. Spyware can monitor use, look for private information or even give someone else control of your computer
  • Use ‘strong’ passwords – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and special characters like the asterisk or currency symbols
  • Install spam filtering software

Malicious Communications

Ensure your staff are trained not to believe emails or other communications asking for information such as PINs and passwords. These often come from banks, but a bank or other legitimate organisation would never ask a customer to provide this information. Even if a telephone caller invites you to call back, or calls on a recognizable number, this is not necessarily a guarantee of authenticity, as scammers can stay on the line when you hang up, and can use software to manipulate caller displays on telephones. Instead you should ask to call back anyone you are suspicious of, wait five minutes before returning the call, and ensure you get a dial tone.

If the communication is made via email, it may contain a link directing you to a carefully designed copy of the bank’s website, where you may be asked to enter your account details, PIN, password or other information. No legitimate organisation will ask for this information in this way.

Staff must also be aware that under no circumstances should they open spam emails.

Vetting of Staff

Some of the biggest security threats can come from inside the company – can you be sure your staff are trustworthy? Some simple measures you can take include:

  • Ask for proof of identity from new employees (e.g. via a passport or driving licence)
  • Ask them to confirm their eligibility to work in the UK (e.g. via a UK/EU passport or an appropriate work permit)
  • Check their references, perhaps by making a call to the person who supplied it
  • If they will hold a sales position, a senior management role or a role dealing with finances, check their financial situation via a credit check

Keep an eye open for any suspicious transactions – many an employee has diverted company funds into their own account in the past, and many more will do so in the future.

When staff leave the company, ensure that their access to all IT systems is disabled immediately, and that they return everything they have been given. Ensuring they return the keys is especially important. It may also be a good time to change the code on any keypad entry system.

Paper Waste

Confidential paper waste should be shredded – not placed in the regular waste.

Business Continuity

All companies should have a documented Business Continuity Procedure. These are traditionally thought to relate to how companies will respond to events such as fire, flood or loss of utilities, but the procedure should also cover how the company will respond to security breaches.

The procedure should specify the name of a Business Continuity Officer who will take charge of implementing the recovery effort in case of an incident, together with a deputy should the nominated person be absent at the time.

The four key elements to a company’s response to an incident are:

  1. Containment and recovery –measures for damage limitation
  2. Assessing the risks – assessment of any risks associated with the incident
  3. Notification – the company first needs to consider who it should contact who might be able to assist with the recovery effort. For a security breach this might include IT service providers, the landlord or the bank. The company should then consider whether it is necessary to inform the Information Commissioner’s Office (ICO) and/or appropriate regulatory bodies and/or the police. (The ICO is the UK’s data protection watchdog, and it recommends that it should be notified when data loss has occurred which has a significant potential for harm to be caused to individuals, when the amount of data lost is significant or when the data lost is of a particularly sensitive nature.)
  4. Evaluation and response – it is important that your company investigates the causes of the incident and also evaluates the effectiveness of your response. If necessary, you should then update your policies and procedures accordingly.

A copy of the procedure must be held off-site, say at the home address of your senior managers. It is no good if the only copy is held on your internal computer drive, which you then can’t access because of the incident!

Keith Tully is a leading business insolvency expert and a partner at Real Business Rescue the UK’s largest professional services consultancy. Keith provides support and advice to small and large companies alike with the benefit of over 20 years’ experience in the field.