[BreachExchange] Managing Security of Your Business

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 30 13:37:38 EDT 2016


http://www.smallbizdaily.com/managing-security-business/

As criminals become ever more sophisticated, security of your business
premises is now about so much more than just making sure you lock the door
when you leave. This article looks at sensible precautions companies of all
sizes can take.

Physical Security

As well as locks on the front door, locks can also be fitted to: individual
rooms, windows, cupboards, desk drawers and filing cabinets. Obviously
areas where valuable items or confidential information is stored should be
a priority when considering where to fit locks.

At the main entrance, a keypad entry system is more secure than a
conventional lock. However, make sure you don’t use a really common entry
code, such as the same number repeated four times, or 1234, 4321 or 1066.

Roller shutter doors are more secure for the front entrance than a normal
door lock.

A modern, sophisticated burglar alarm system is an essential part of any
company premises.

If the company has the resources to employ security guards out of hours, or
to purchase CCTV, then this obviously provides a great deal of comfort.

If your company rents its premises, you may not be in a position to decide
what security measures are put in place. But the standard of the security
arrangements should be a key consideration when you are considering moving
to new premises.

Computer Security

Information technology security breaches can be very costly, and not just
in monetary terms. The implications of significant data loss and damage to
the company’s reputation can also be significant.

Measures your company can take in this area include:

- Install a firewall and virus checking software on your computers. Your IT
consultant can advise what precautions need to be taken
- Consider upgrading your operating system
- Protect your computer by downloading the latest patches or security
updates
- Only allow staff access to the information they need to do their job
- Take regular back-ups of the information on your computer system and keep
them in a separate place so that if you lose your computers, you don’t lose
the information
- Don’t dispose of old computers until all the personal information on them
has been securely removed (by using technology or destroying the hard disk)
- Consider installing anti-spyware. This protects against software that can
be secretly installed on your computers. Spyware can monitor use, look for
private information or even give someone else control of your computer
- Use ‘strong’ passwords – these are long (at least seven characters) and
have a combination of upper and lower case letters, numbers and special
characters like the asterisk or currency symbols
- Install spam filtering software

Malicious Communications

Ensure your staff are trained not to believe emails or other communications
asking for information such as PINs and passwords. These often come from
banks, but a bank or other legitimate organisation would never ask a
customer to provide this information. Even if a telephone caller invites
you to call back, or calls on a recognizable number, this is not
necessarily a guarantee of authenticity, as scammers can stay on the line
when you hang up, and can use software to manipulate caller displays on
telephones. Instead you should ask to call back anyone you are suspicious
of, wait five minutes before returning the call, and ensure you get a dial
tone.

If the communication is made via email, it may contain a link directing you
to a carefully designed copy of the bank’s website, where you may be asked
to enter your account details, PIN, password or other information. No
legitimate organisation will ask for this information in this way.

Staff must also be aware that under no circumstances should they open spam
emails.

Vetting of Staff

Some of the biggest security threats can come from inside the company – can
you be sure your staff are trustworthy? Some simple measures you can take
include:

- Ask for proof of identity from new employees (e.g. via a passport or
driving licence)
- Ask them to confirm their eligibility to work in the UK (e.g. via a UK/EU
passport or an appropriate work permit)
- Check their references, perhaps by making a call to the person who
supplied it
- If they will hold a sales position, a senior management role or a role
dealing with finances, check their financial situation via a credit check

Keep an eye open for any suspicious transactions – many an employee has
diverted company funds into their own account in the past, and many more
will do so in the future.

When staff leave the company, ensure that their access to all IT systems is
disabled immediately, and that they return everything they have been given.
Ensuring they return the keys is especially important. It may also be a
good time to change the code on any keypad entry system.

Paper Waste

Confidential paper waste should be shredded – not placed in the regular
waste.

Business Continuity

All companies should have a documented Business Continuity Procedure. These
are traditionally thought to relate to how companies will respond to events
such as fire, flood or loss of utilities, but the procedure should also
cover how the company will respond to security breaches.

The procedure should specify the name of a Business Continuity Officer who
will take charge of implementing the recovery effort in case of an
incident, together with a deputy should the nominated person be absent at
the time.

The four key elements to a company’s response to an incident are:

- Containment and recovery –measures for damage limitation
- Assessing the risks – assessment of any risks associated with the incident
- Notification – the company first needs to consider who it should contact
who might be able to assist with the recovery effort. For a security breach
this might include IT service providers, the landlord or the bank. The
company should then consider whether it is necessary to inform the
Information Commissioner’s Office (ICO) and/or appropriate regulatory
bodies and/or the police. (The ICO is the UK’s data protection watchdog,
and it recommends that it should be notified when data loss has occurred
which has a significant potential for harm to be caused to individuals,
when the amount of data lost is significant or when the data lost is of a
particularly sensitive nature.)
- Evaluation and response – it is important that your company investigates
the causes of the incident and also evaluates the effectiveness of your
response. If necessary, you should then update your policies and procedures
accordingly.

A copy of the procedure must be held off-site, say at the home address of
your senior managers. It is no good if the only copy is held on your
internal computer drive, which you then can’t access because of the
incident!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160930/b962a924/attachment.html>


More information about the BreachExchange mailing list