Three critical elements of a strategy for business security

In today's corporate environment, "business security" is an all encompassing term. It no longer applies to just premise security, but to the myriad of security issues companies face each day. Security threats are increasing proportionately with technology and manifest on multiple fronts and in various forms. Today's businesses must not only protect their physical assets and employees from criminal and terrorist acts, but must employ countermeasures to protect their IT networks, proprietary information and financial security. Often small and midsize companies become overwhelmed by all these threats, viewing them as too time consuming and costly, thus, increasing their vulnerability.

Companies should not try to protect themselves from every type of conceivable threat. This would be too costly and ineffective. A company must determine what its external and internal threats are, and then employ the appropriate security and countermeasures. This can be accomplished by a methodical step-by-step process that identifies the company's threats, risks, and vulnerabilities.

Vulnerability assessment: The basic objective of performing a vulnerability assessment is to better understand the company's threats and vulnerabilities, determine acceptable levels of risk, and incorporate countermeasures to repair identified vulnerabilities. This is a cost-effective method to determine what security systems and procedures a company should employ based on its postulated threats. A postulated threat is any indication, circumstance, or event with the potential to cause loss or damage to an asset, human or otherwise. A vulnerability assessment is the most efficient way to determine postulated threats and risks. This can be outsourced to security experts or conducted internally, if the business owners have the necessary experience.

The most effective vulnerability assessment is one that uses the systems engineering approach. The systems engineering approach analyses the total security system and all of its subcomponents such as policies and procedures, training, HR and equipment. The outcome is an assessment of the vulnerabilities of a company and security threats that must be negated. This ensures the strength of the security systems and their ability to perform effectively with marginal increases in cost. The system engineering vulnerability assessment is a mechanism that balances total system performance and total ownership costs. Policies, procedures, and upgrades are incorporated, followed by reassessments of the new system to determine whether the changes have mitigated or removed the identified problem, or whether a new vulnerability has been created. This approach looks at all solutions from simple and cost-effective tools to advanced technological systems.

External security: External security measures must be emplaced and employed based on the vulnerability assessment. This will ensure the security measures are effective and prevent unnecessary costs. External security is circular in that it's never-ending. Therefore, it is fundamental to take a total life cycle approach to the planning, development, and implementation. This is followed by reassessments of the new system to determine whether the changes have mitigated or removed the identified problem or whether a new vulnerability has been created.

One major incident of any type could be fatal to the company's bottom line. According to a recent McAfee poll, 33 percent of companies who suffer a major security breach will go out of business. Certain states across the United States are starting to hold companies liable who have failed to implement adequate security measures in protecting consumers. A study conducted by Ernst & Young states that companies lose an estimated $46 billion a year due to theft, making fraud prevention and theft countermeasure important components of business security.

Today's economy has impacted almost every industry, so most companies are focused on cost-saving measures and efficiencies in operations. Security efficiency assessments ensure that existing security systems are not only effective, but efficient from an operating cost perspective. The security efficiency assessment allows the business owner to maintain a high level of security and eliminate costly ineffective security measures.

Internal security: Protection from external threats is only one part of business security. A company must also protect itself from internal threats, such as employee theft, frivolous lawsuits, and "hostile" work environments. Failure to protect your business from internal threats can be just as costly and devastating as external threats. Companies across the nation have seen an increase of 400 percent in legal fees due to sexual harassments charges, not to mention the actual monetary awards. Internal threats are affected by the economy as well, "desperate times, desperate measures." Historically, employee theft increases dramatically when the economy is on the downside.

Companies with limited budgets can increase their internal security and reduce vulnerability through employee training, policies, and procedures. Proper training on operational security, proprietary information, safety, EEO, and sexual harassment coupled with effective policies and procedures greatly reduces risk to a company. Changing the way employees are vetted is another economical way to increase security. Criminal background checks, drug screening, and even credit report reviews are becoming standard business practice across the nation.

A key element to internal security is documentation. Having a written policy is fine, but having a written policy that is signed by the employee is golden. A good internal security procedure is to have each employ signed every policy to include the employee handbook. If your company does not have an employee handbook and has employees, get one! Class attendance rosters are imperative as well. If your company conducts sexual harassment training, each employee that attends should sign in. This will help track who has received the training and who has not. Keep this on file, you might need it!

Take the security of your business seriously. It's more valuable than you might think.

For more information, contact Keith Weeks at Azimuth Strategies, 775-954-2020, or keith@azimuthstrategies.com.