From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

One of the biggest complaints I hear from business owners is that security costs. How does a small business with limited budget and staff go about securing their office?

Let’s take a fictional 10 person company called WidgetCo. This company manufactures widgets. They need to protect the new manufacturing process of producing widgets they have recently developed so it is imperative the process be kept secret until a scheduled press release.

The company consists of a CEO, accountant, marketing director, two sales people, two developers, a QA tester, project manager and a receptionist. All IT is outsourced and the team is not overly technically savvy. Sound familiar? Let’s take a look at 10 immediate things WidgetCo can utilise to help keep their widget process secure.

1. Security Policies

All staff should have policies to follow that are implemented and enforced from the CEO down. Employees need to know exactly what is expected of them and how they should react. With policies in place, the guess work is left out and staff has a reliable framework to fall back on. Train the staff on the security policies that have been implemented and have them sign a disclaimer stating they have read the document.

2. Office Security

Ensure that physical security is enforced also. Keep external doors locked and keep visitors out of the development shop. All visitors should be escorted when viewing your business. Consider a low cost camera system for high traffic areas and locations that contain sensitive equipment or information such as the accountant’s office or the server room. If your office is located in an area where crime is a concern, consider hiring a security guard or try to rent from a building where security guard is part of the contract. Having a security guard will deter many (Not all) criminals.

3. Secure Building Perimeter

Provide adequate lighting for the exterior of the building including rear entrances and parking lots. A determined criminal will find ways around, but many spur of the moment thefts and break in can be deterred with simple lighting. Have locks for the windows and bars if required. Ensure all of the staff is aware of any high risk areas that might provide an easy target.

4. Get References if IT is Outsourced

If IT is outsourced, get references from the organization that provides the service. Many small businesses employ a friend or a local person who seems to know what they are doing. The only caveat here is what happens when something goes wrong. Will the hired hand stay all night to rebuild your servers if they are struck with the latest virus? If the hired person is not a fulltime IT position, you may be getting someone who is less than qualified to run your systems. Consider hosting your servers with a known third party reputable service.

5. Firewall/Antivirus/Anti Spam/Anti Spyware

All systems should have these components installed. If you use Windows XP or Vista, you have a free firewall. Many open source firewalls exist at virtually no cost as well such as IPCop. In fact the Vista firewall is really quite powerful. Anti Spam can be taken care of at the server level or more cost effectively at the user level. Anti spyware can be taken care of with Microsoft Defender (A free add on to Windows) and effective antivirus software has dropped drastically. Most people can easily setup the aforementioned products with little or know IT experience.

6. Patching

A large number of a systems security flaws can be addressed with an aggressive patching strategy. Patches are a fact of life and must be incorporated into service level agreements and scheduled down time. If you outsource, you still may have to patch your own systems. Microsoft offers the Microsoft Security Baseline Analyzer (MSBA) and the Windows Security Update Service (WSUS) freely to consumers. Patches must be tested before implementation to ensure stable systems do not become casualties. Microsoft offers a small business patch management guide.

7. Training

Train the employees about escalation procedures in case of an emergency or suspected hacking attempt. If the staff understand what is to happen and who they should contact, when an emergency arises they will be better prepared to cope with it. If a caller starts asking the receptionist strange questions, ensure that the receptionist knows to report it. If someone is caught hanging around the rear door by the smoking area talking to staff, report it to the floor marshal. Most attacks are precipitated by warning signs. Staff just need to understand those signs.

8. Learn from the Mistakes of Others

Read the Seven Worst Mistakes Senior Executives Make and Suggested Fixes and the Five Worst Security Mistakes End Users Make and Suggested Fixes . Never hurts to be humbled.

9. Background Checks

All staff should undergo a background check including a Police Report. While a formal check will not alert you if a person has never been in trouble with the law, it will give you some tools to weed out those that have. Part of the back ground check will involve formal interviews and questionnaires to determine an applicants worthiness for the job. Follow up references. Many organizations never even call references and take their employees at face value. While trust is an important tool to have with co-workers, it is also important to know who you are working with. Background Checks.

10. Auditing

When you have everything else in place, get a security assessment completed. This will alert you to any holes in your armour and perhaps address processes you have not considered. An impartial third eye is always a good thing when it comes to security. Hire a reputable firm to conduct the assessment. A good firm will provide you with solutions to the issues as well and not just beat up on your lack of security.

Running a business is hard enough without throwing in hackers and theft. Following these simple rules will help to alleviate some of that stress. Preplanning is the key. When an emergency strikes the staff need to know what is going on and how to address the problem. WidgetCo seems to be on the right track.