corporate security

How to assess the safety and security of your company

In this article we will examine how your organisation can mitigate risks by regularly carrying out essential security and safety checks.

We will consider:

• Why is it important to review the security and safety of your organisation?

• How to carry out a security check.

• What are the common risks and threats that you should check and consider?

• What are the specific threats and risks for your organisation?

• How you can control and manage risks.

• How often should you review your facilities, procedures and policies?

• What are the benefits of employing a security consultant to carry out an external audit?

Why should you carry out a security and safety survey?

The ultimate purpose of undertaking a security survey is to determine the most cost-effective and practical ways to protect your assets: your people, property and information.

Imagine an onion. At the core of the onion is your business or organisation– containing all of your assets (property, people and information). All of the things that are essential to your operation are in the centre of this onion, beneath many protective layers. If you think of your organisation as being like an onion, then the more layers of security protection around your core business, then the more secure and safe you are likely to be.

Of course, the threats and opportunities for criminals or competitors to cause damage to your organisation have always existed. However, in the technological world of the twenty-first century, crime happens both in the real world as well as online, in the virtual world of the Internet. By taking these steps to review and check security, you are reducing the risk of becoming a victim of crime.

How do I carry out a security check?

You can perform many of the simple checks yourself: This article contains useful information and key questions to help you review your company’s security practice and procedures. In order to carry out an effective survey, we recommend that you:

Do not pre-announce or publicise when or where you will be carrying out a security or safety check. If your staff know when it is, then they are likely to deviate from their ‘normal bad habits’ – whereas an unannounced inspection will instantly identify any processes or policies that expose weaknesses or risks to your business. Remember, their safety and security is one of the reasons why you are carrying out this review.

• Have floor plans and site diagrams labelled with control systems to help you identify current and potential security and safety risks. By using the plan you will be able to identify the profile of each building, number each door and be able to carry out regular checks.

• Work systematically and thoroughly, using the guide below to help you. You have to ‘think like a criminal’ and spot existing and potential risks and weaknesses in your organisation.

• It is recommended that you record your findings and create an action plan. This plan will state the issue and the safety and security measures and procedures you have installed to mitigate risk.

What are the common risks and threats that you should check and consider?

When you review the security of your organisational assets (property, people and information), you need to consider how you control and manage risks:

• Fixed assets – property, physical assets (e.g. office equipment & specialist products/machines – depending on the nature of your business).

• Technological assets – computer systems and servers, storage of information and data (both physical systems and data backup/cloud based storage).

• Staff assets – What appropriate action do you take to safeguard your assets, when employees leave your company?

• As you perform your security and safety checks, review your organisation’s provision, processes and policies.

Below, we have listed the simple things you can check for potential weaknesses, opportunities and threats.

Premises

• Are fences, walls, security and locks on windows and doors secure?

• Can perimeters be scaled or breached?

• Are the CCTV cameras in good working order?

• Who is responsible for the maintenance of security systems in your organisation?

• Are the alarm systems working?

• Are CCTV cameras and alarm systems serviced and tested regularly?

• Where is this information recorded?

• How easy is it for visitors to access your premises?

• Are staff vigilant? Do they know how to report risks?

• Are visitors challenged by staff and asked to sign visitor book and show ID?

Policies and Procedures

• Do you have an effective passcode / key policy in place (for locks)?

• Do you change electronic door entry codes regularly?

• If using locks with physical keys, how effectively does your key usage policy work in action?

• Are physical (and virtual) keys stored securely?

• What controls are in place and fully working with respect to access to restricted access areas (e.g. mail rooms and server rooms)?

• How effective is staff induction and training?

• Are staff aware of their security responsibilities (e.g. they have to wear IDs at all times)?

Staff

• Are staff following security policies?

• Do staff pose security risks such as holding doors open to strangers and lending their passes to others?

• Do staff know how to report security issues?

• Are security staff trained?

• How do you monitor their job performance?

• Is CCTV monitored at all times?

• What happens when they spot a potential risk?

• How do you vet staff and ensure you are employing the right people?

Technology

• How do you back up electronic data?

• Is it on site?

• Are back ups stored separately from main data? Where? How?

• How effective are the security arrangements to protect servers?

• Who is responsible?

• How often you make adequate backups (so you can recover critical data or information, if it is damaged or stolen.

• How well are you protected against Viruses, Malware or Ransomware?

What are the specific threats and risks for your organisation?

It is impossible to list all of the risks for every organisation: that is why employing an independent security consultant to review your organisation’s security and safety is a worthwhile investment. But there are some simple things you can control and manage to mitigate your risk, and reduce the chance of becoming a victim of crime.

How can you control and manage safety and security risks?

Any response to minimising risk should be both consistent and appropriate. Companies, who excel in mitigating risk, plan a sufficient budget to allocate to risk prevention. They review their policies and practices regularly:

• A senior member of staff is appointed as ‘Security Liaison Manager’, and is responsible for resolving any security issue as soon as is practically possible. All staff are responsible for spotting and reporting security lapses or issues to this manager.

• A strict policy is in place for Key holders and access arrangements.

• The company belongs to a Business Watch scheme.

• You should create a security register, where you can record:

  • Your assessment findings;

  • Details of any security systems already in place;

  • Alarm systems;

  • List of the key holders;

  • A plan of the premises, labelled with building and door numbers;

  • Your security action plan, detailing what needs to be addressed, when, who is responsible, the allocated budget and the timeframe.

How often should you review your facilities, procedures and policies?

These simple checks can be completed once a month. In practice, most companies perform these checks four times a year, but it all depends on the particular risks associated with your organisation such as your physical location and surroundings and the nature of your business. A security consultant will be able to advise you on the best course of action.

What are the benefits of employing a security consultant to carry out an external audit?

Whilst this article focused on the simple checks you can make yourself, we recommend that you appoint one of our trusted security consultants to independently assess and check security in your organization. They will expertly advise you on how to mitigate risk, based on your organisation’s unique circumstances and the specific risks you face. However, as we have explained, there are many simple checks that you can do yourself to keep your company safe and secure.

Stay on top of security developments by following these five pieces of advice

With cyber attacks becoming increasingly common in the present day, it is vital for companies to ensure that they keep their data safe from breaches. If a data breach occurs, your company’s financial information will be at risk, as will potentially sensitive customer information. As well as being bad for the image of your business (and losing you several customers), data breaches can make companies liable to pay fines. This is due to the fact that the Data Protection Act of 1998 legally requires companies and other organisations to keep people’s private information safe and secure, imposing penalties if this requirement is not fulfilled. Good security is thus not just convenient for you, it is also an obligation. Luckily, it is pretty easy to keep your IT infrastructure safe from attack – all that you need to do is to cover the five basic points listed below. If you do not feel comfortable covering all of the baselines below yourself, then hiring an IT professional to do so for you is a smart choice.

1. Keep your IT infrastructure in good health

Knowing and understanding your IT infrastructure is an essential first step for keeping it safe and sound. Get to know what types of software you are using and what new updates or patches are available. Install new security and safety features as soon as they become available. Ensure that you know where and how your infrastructure intersects with the law: what types of security are you legally obliged to provide? Make sure that you provide that level of security as a basic minimum. Under the Data Protection Act, if you take no action to attempt to prevent or to halt a data breach then you can become liable for even bigger fines. This was the case with Talk Talk last year when they were fined £400, 000 (a record amount) for a data breach that saw sensitive customer files leaked. Monitor your IT infrastructure at all times to make sure that you catch any attempted breaches as soon as possible, and, when a breach does occur, use it as an opportunity for learning: attempted breaches can teach you numerous things, including where your company’s perceived weak points are when it comes to IT infrastructure and also what hackers’ current methods are. If a data breach does occur and you have fulfilled all of your legal obligations under the Data Protection Act, then it is unlikely that you will have to pay a penalty.

2. Opt for automation to keep your security up to date

Monitoring IT security should be a 24/7 job as attacks can happen at any time. That is why it can be hard for human eyes alone to monitor every aspect of your IT infrastructure. So, why not put in place encryption policies, intrusion detection and prevention programs, regular automatic assessments (where the system checks itself for weak spots and security breaches and applies patches and updates where necessary) and backup programs that prevent files from being lost permanently if a hacker attempts to wipe your system’s memory. Another good policy to put in place is to stop new files from downloading automatically until they have been checked manually, as a key method of cyber attackers is to send you a malicious file to download as an email attachment. These automatic features will keep everything safe and secure whilst you get on with running or working for the company.

3. Educate all company members about IT security

Get everyone on board when it comes to monitoring the security of your IT infrastructure. Train employees to encrypt their information and to recognise attempted cyber attacks. Create a set of employee regulations which require employees to encrypt and password protect the data that they use and to apply software patches where necessary. Think about where your company’s hardware is, too, and where necessary prevent employees from taking hardware home. If it gets into the wrong hands, a single lost laptop can result in a huge data breach. One very good policy to implement here is data minimisation: this means only sharing data with the minimum number of top level employees. The fewer people who have access to data, the less likely it is that employees’ negligence will facilitate a data breach.

4. Have a detailed plan about what to do in the event of a data breach

Plans about how to respond to suspicious activity (which, of course, you will be monitoring as per step 1 above) should be built in to your day to day IT policies. Set up real time alerts which enable you to identify threats straight away and then have a plan that you can quickly put into action to protect sensitive information – for instance, shutting down some parts of the system or getting a resident IT professional right to work on creating barriers for hackers. Integrate prevention and response strategies into your day to day operations, for instance by informing employees about attempted data breaches so that they can change their passwords instantly. Be aware of your legal obligations when it comes to reporting attempted breaches: remember, if you take no action to repair or report a breach you can become liable for penalties. And, if an attempted breach does occur, make it part of your policy to analyse the breach to help you to be stronger against the next attack.

5. Be smart about who you hire

Hiring an IT professional (or a team of professionals) to keep your IT infrastructure safe is a very good idea. Think of this additional hire as an investment rather than a loss of money! After all, the average cost of a single data breach last year was over £100, 000 for a UK company. Do not just look close to home, either: tap in to the global talent pool to ensure that you hire the perfect person for the job. Many security professionals can work remotely for much of the time (though there are definite benefits to having an in house professional keeping an eye on your IT security) so you could even hire a team that involves someone in a different city or country if needs be. Find out who the best qualified security professionals are and offer them an attractive post to tempt them over to your company. As well as this, it is important to include some elements of IT security training for all of your staff – not just those people whose job it will be to protect your IT infrastructure. If any potential new employee comes to you and you see that they have experience or qualifications that relate to cyber security, then that should definitely figure as a huge positive for your company! Hiring a dedicated person, or group of people, to deal with your company’s cyber security, moreover, is very good for business. It shows the world that you care a lot about keeping all of your customers’ and also any business partners’ data safe and secure at all times.