How to conduct a security audit for your small business
For SMEs, COVID-19 uncertainty has brought a shift in priorities to navigate the ‘new normal’ working environment. With safety the word on everybody’s lips as we navigate changing pandemic precautions, it could be the perfect time to review business security with an audit. Izzy Schulman, Director at Keys 4 U guides us through the steps to preparing a risk assessment and security audit to keep your business safe.
UK SMEs lost £8.8bn in security incidents and cybercrime cost the industry £17.4bn in 2018. As business owners, we never want to fall victim to this kind of crime and so we need to put a plan in place to assess and secure our businesses on a regular basis.
Conducting a risk assessment
The first step in any security audit is conducting a thorough risk assessment. This means reviewing every aspect of the physical workplace and all business processes to identify any possible threats.
For SMEs, this will likely include weaknesses in building entries, insecure software and access to confidential files or company property that would have a significant impact on business-as-normal if they were to be compromised.
Once the risks have been identified, divide some of the responsibilities between team members. This ensures each risk is afforded the time and attention to guarantee thorough checks.
Evaluate each threat in detail, including any potential weak points and their current security status. Then, offer actionable advice on securing it. Keeping these details on record will prevent you from being blindsided if the worst happens – allowing you to swiftly act on the advice to secure your business.
For example, when reviewing the physical workplace, the audit should include details on all potential fire or flood risks, plus tripping or falling object hazards. All of this can be logged and flagged for future audits, including the steps you have taken to minimise the risk.
Successful security audits require managers and directors to be extremely self-critical and honest about areas of weakness so that the risks can be minimised.
Addressing the office
With employees urged to work from home where possible, leaving many offices and workplaces empty, this has unfortunately provided the perfect cover for criminals to break into businesses, causing rates of this type of crime to rise.
For many businesses, this has acted as an overdue wake-up call to address the structural security of their workplace.
This could mean several measures intended to deter potential intruders, from replacing worn locks and outdated window fixtures, to fitting keypad entry devices and getting a professional to install and test security alarm systems. Visible, robust deterrents are the most likely to make potential burglars think twice about trying their luck.
However, the ongoing COVID-19 pandemic has thrown an extra spanner in the works, prompting businesses to act to protect their staff with additional hygiene measures. Part of any ongoing audit should now be dedicated to making sure your workplace is hygienic and adequately sanitised for staff.
As a minimum, you should be following the government's COVID-secure guidance and implement the measures it recommends such as one-way systems, Perspex screens, encouraging adherence to face covering and social distancing regulations, as these will shield against any community spread.
A security audit also marks an opportunity to revaluate employee buy-in to business security. Those working in SMEs are usually overstretched in their roles, helping the firm remain efficient and competitive, so incentivising staff to take on additional responsibilities can be a challenge.
Offering small rewards or prizes for those who go the extra mile – for example, recognition in company emails or vouchers – shows the importance of teamwork in company security and emphasises how you value employee compliance.
This may also mean taking steps to make it as easy as possible for your employees to play their part. For example, splitting up the team and allocating individual responsibilities, to limit the number of tasks placed upon each employee. So, you may have staff in charge of locking up and ensuring data compliance, as well as electing fire marshals and first aiders.
Note all these measures down in your audit and plan.
A look online
With technology becoming more widely adopted across every department of SMEs – and a rise in virus and ransomware attacks affecting 88% of UK businesses – defending digital channels is crucial to the success of a business.
Unfortunately, the biggest crutch in a business’ security is often the employees themselves. Losing devices, choosing weak passwords and not having the necessary security software installed can all lead to breaches.
However, most of these lapses in security knowledge can be addressed with regular training. Simple tips like identifying phishing emails and avoiding malware scams can be learned in short training sessions – and easily topped up with refresher courses to cover the latest cybersecurity threats.
Working remotely also comes with its own complications. Encourage all your employees to update anti-virus and firewall software on any devices used to access company data. This safeguards against threats when accessing confidential files. Your business could also benefit from setting up a virtual private network (VPN), to protect confidential data.
You should also consider rolling out multi-factor authentication software, which requires a user to input a one-time code – often sent directly to their mobile phone – to validate their permissions. This prevents hackers from accessing the network with just a stolen password alone.
Security can also be bolstered by adding security questions or ReCAPTCHA software to avoid malware attacks.
Fit for the future
Business security is never ‘done’ and it’s recommended businesses undergo a security audit twice a year as a minimum.
Staying secure means investing budget and time into regular audits. While business security isn’t as glamorous as a big marketing campaign or shiny advert, it saves on the cost of downtime and repairs if the business gets targeted.
It’s also important to keep a clear and concise security plan, including all identified threats, their current status, and efforts in place to lessen risks going forward.
Keep a note of any new equipment you introduce to the workplace, plus the security status of third-party companies you may be working with and any new software installed. Keeping key contact information for businesses and distributors allows you to act swiftly if the worst happens.
Having all this information in an accessible document acts as a strong contingency plan. If someone in your business suspects a threat, the plan is on hand to guide them through the steps to minimise the damage – including who to call and any gaps to plug to avoid a small breach affecting your whole business.
Izzy Schulman is a Director at Keys 4 U, a team of UK-based, DBS checked, fully accredited locksmiths.