Corporate Security

“The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved”, this was stated by Confucius. Corporate security has become an ongoing problem for small businesses owners around the country and many are facing difficulties in determining what kind of precautions to acquire when trying to prevent security concerns from happening. In order for a small business owner to have quality security over their business they must look at all different sectors including physical security, data security, business transaction security and finally computer security of their businesses. The security of a small business is dependent on how well the owner takes into consideration all the different possibilities and how the owner wants to monitor all procedures that may entail their business. Corporate Security is an important matter that all small business owners are going to have face and the sooner they confront the issues, the better the company will be in eliminating problems in the long run.

Physical security is significant to any company that wants to prevent invaders from entering their business without permission. Physical security can include safety measures such as: door locks, alarms, security guards, cameras, fences and smoke detectors.  Another type of physical security is separating the obligations among employees and not letting one major task be completed my just one person. Physical security is usually one of the first tasks accomplished by small business owners in undertaking the mission of protecting their businesses, without physical security businesses would be accessible for anyone within reach.

Data information seems to be another sector of small business that needs to be confined and the appropriate accommodations must be applied by owners in order to keep any private documentation or information that does not want to be revealed to outsiders. Data security can include: passwords, finger prints, access cards and cryptography.  Cryptography is used to protect data by transforming it into a form that seems useless, unless you have the cryptographic key to make sense of the data. Data security is used to enable outsiders to view any information that a small business might not want known and helps shield against any hacking that may involve their monetary accounts.

Business transaction security seems to have become another large challenge for small business owners in today’s current market and monetary transactions are one of the most important division to protect against outsiders. Business transaction security includes bank vaults, one-time passwords, secure monetary transaction system and trustworthy employees. Small business owners must have a secure system designed to be able to account for all monetary transactions going in and out of the business. Bank safes must only be accessible to key employees and have a valid security system in order to gain admission into the vault.

Computer security puts constraints on a business computer and denies availability of information to those who are not inside the company. Computer security can include firewalls, back-ups of information on hard disks, encryption, anti-virus programs and detailed passwords. Hackers are increasing their knowledge everyday on the topic of computer security and they are inventing new ways of hacking into small businesses’ computers. If small business owners use these precautions and observe all computer usage closely, they can avoid any future theft into their system.

Small businesses today use the Internet and computing networks as important business necessities more than ever before.  While connectivity is necessary for success in one’s business, being connected also means that the company is more exposed to outside threats. Larger companies have the resources to have security experts to protect their systems, but small business owners must make their own decisions on how to secure their important information.

Security issues such as viruses, hackers, and worms becoming a huge threat to the vital information of a company, one would assume preventative measures would be at top of the list of things to do for small businesses.  After all, these are serious threats with serious consequences, but many small businesses have not taken the steps to safeguard their information.  The problem is that small business owners are simply unaware as to what steps they should take or even where to start.

Many small business owners believe that they do not need to worry about computer and online security because why would someone target them when there are much bigger companies that can be hit.  Hackers and thieves however know that small businesses are often more vulnerable to attacks because of limited security measures, making them an easier target. One of the favorite ways thieves attack small businesses is sending mass worm outbreaks in an effort to harvest credit card or other account information. Another important thing for the small business owner to realize is that not all attacks come from the outside.  Many times an employee will purposely and sometimes even unintentionally compromise vital information.

If a company’s computer systems were attacked and down for a week it may lose a lot of business. Even worse it could lose all the vital data stored on the computers. The thief could sell the list of their customers along with sales figures to their biggest competitor. Attackers all have different motives, whether it be profit, mischievousness, or Internet glory; all is the same to the small business.  Regardless of how or why one’s business is attacked, fixing a compromised situation takes a lot of money, time, stress, and effort.

Here are some of the techniques used and simple definitions of each:

  • Spam, or unsolicited commercial email messages, wastes bandwidth and time. The sheer volume of it can be overwhelming, and it can be a vehicle for viruses. Much of it is of an explicit sexual nature, which in some cases can create an uncomfortable work environment and, potentially, legal liabilities if companies do not take steps to stop it.
  • Phishing is increasingly becoming a tactic of choice for hackers and organized crime. Typically, an attacker sends an email message that looks very much like it comes from an official source (such as eBay or Microsoft). Links in the message take you to a website that also looks like the real thing. However, the site is just a front and the goal of the scam is to trick you into giving away personal information. The personal information received may be used for spam lists and for perpetrators to steal your account information or even your identity. The victims of these scams are not only the users who may divulge personal and confidential information, but also the spoofed business’ brand and reputation.
  • Viruses are programs designed to replicate themselves and potentially cause harmful actions. They are often hidden inside innocuous programs. Viruses in email messages often masquerade as games or pictures and use beguiling subjects (for example, “My girlfriend nude”) to encourage users to open and run them. Viruses try to replicate themselves by infecting other programs on your computer.
  • Worms are like viruses in that they try to replicate themselves, but they are often able to do so by sending out email messages themselves rather than simply infecting programs on a single computer.
  • Spyware refers to small, hidden programs that run on your computer and are used for everything from tracking your online activities to allowing intruders to monitor and access your computer. You might be the target of spyware or other unwanted software if you download music from file-sharing programs, free games from sites you don’t trust, or other software from an unknown source.
  • Tampering consists of altering the contents of packets as they travel over the Internet or altering data on computer disks after a network has been penetrated. For example, an attacker might place a tap on a network line to intercept packets as they leave your establishment. The attacker could eavesdrop or alter the information as it leaves your network.
  • Information disclosure consists of the exposure of information to individuals who normally would not have access to it. For example, a user on your network might make certain files accessible over the network that should not be shared. Employees also tend to share important information, such as passwords, with people who should not have them.
  • DoS attacks are computerized assaults launched by an attacker in an attempt to overload or halt a network service, such as a Web server or a file server. For example, an attack may cause a server to become so busy attempting to respond that it ignores legitimate requests for connections.

Identity theft is considered “America’s fastest growing crime problem” by the FBI and it affects more than ten million Americans each year.  Small businesses are many of the victims as they send many important documents electronically and thru the mail.  An identity thief can operate by looking through mailboxes, sifting through trash, stealing wallets/purses, breaching computer networks, or many other ways.  It is important for small businesses to take measures to protect against identity theft.  It can be devastating if not handled quickly and appropriately.  The average loss of from Internet identity theft is $3,000.  Besides possibly losing thousands of dollars, an identity theft victim will on average spend over two hundred hours to reclaim their identity (“Avoid…”).  If you are a victim of identity theft, it is important to respond quickly.  Credit card companies will regard you less liable the earlier you report the theft.  You can ask credit-reporting agencies to flag your report with a fraud alert so that no one is issued new credit under your name.  You should also contact the police and file a report with them (McWhinney, Jim. “Identity Theft: What to Do…”).

Some companies engage in competitive intelligence, which is the practice of “gathering, analyzing, and applying information about products, domain constituents, customers, and competitors for the short term and long term planning needs of an organization”.  This practice keeps the company up to date on competing companies and the industry as a whole (“Competitive…”).  There is a clear difference between this and industrial espionage.  Reputable competitive intelligence professionals abide by laws and a code of ethics.  One can legally and ethically gather information by examining public records or attending trade shows.  Industrial espionage involves activities such as bugging, bribery, and blackmail.  It is a bigger threat to businesses that are highly dependent on information (“Industrial…”).

Dumpster diving, or information diving, is the practice of recovering data that has been discarded.  In earlier times it was possible to find sensitive documents on paper.  However, after businesses became aware of this it was common to shred anything important that was thrown away.  Recently, most sensitive information comes from data left on computers’ hard drives.  This can be memos, IDs, passwords, or anything else (“Information…”).  Files are not completely removed from a hard drive until it needs to make room for other files.  So even if the file is deleted and the Recycle Bin is cleared it is still possible to recover the file unless a program (or a powerful magnet) is used to completely wipe the hard drive.  Besides getting rid of sensitive information on trashed computers, one should also take care when selling/donating.

There is a growing concern in the business world about data breaches.  10% of IT budgets will be spent on security this year, an increase from 8% last year.  IT security professionals are enjoying greater influence (Brodkin).  Unfortunately, over 80% of data breaches are caused by insiders.  Almost 30% of companies are victim to at least five insider attacks per year.  Being an insider makes the attack that much easier.  The purpose of these attacks is to obtain research data, marketing statistics, HR records, and anything else that could be used or sold.  There is software that allows administrators to limit the access of users which is a big help in preventing insider attacks (“Corporate…”).

Firewalls protect not only the individual computer, but also the entire business network by preventing that malicious software from installing itself or using the individual computer to spread the malware to others in the network. Often malware spreads through company intranets because of careless employee behavior. This can cause severe damage to the mainframes of the business. Firewalls help to prevent this.

Physical security is very important, especially for small businesses. This category can be divided into passive and active protection. Any passive measurements such as CCTV or locks are usually very cost efficient. Installing a camera system that supervises the POS (Point-of-Sale) terminals is very effective in reminding customers as well as employees that somebody is watching over the business. Most passive methods are preventive. Every business owner knows its business and they should think about how to secure their assets. Business interruption can be extremely costly if not fatal for the business so every attempt to make the business run as smooth as possible should have a high priority.

Anti-virus software is a must for every PC. Whether it is a business computer or a private machine it is absolutely essential that it is running up-to-date anti-virus software that protects the machine against circulating viruses. As a rule of thumb it can be said that from the point in time when a virus is recognized until it actually vanishes years can pass by since there are enough machines out there that run unprotected.

Anti-phishing filters should be used on browsers and email programs. In addition, the software employees must be trained in identifying phishing mails or at least be able to screen for these mails or programs. The lists of them are available online and they should be made public somewhere in the company in order for employees to be exposed to it on a frequent basis.

Corporate security events are an essential part in creating awareness among employees. In larger businesses, the owner or manager should consider hiring a third party to train staff about corporate security. Also the use of online-based training can be very effective since they combine education and testing. These events (when paired with testing) provide the employee with a great incentive to take ownership for their workplace. Also, employees should be educated about maintaining an online profile and the possible consequences of having one.

Online resources should be considered on a regular basis. A business owner’s time is very expensive and so are losses. The owner should be aware of any industry specific threats and special security circumstances. A certain due diligence in information gathering and intelligence is necessary to make the business safe. Many online resources (often for a fee) are available to get this intelligence in one place.

Anti-social-engineering measurements should be taken by a business. Social engineering focuses on manipulating people to take advantage of them through bribery, blackmail, extortion has been more and more popular in the recent years. Through technology it has become increasingly possible to gather information about a target that is free and publicly available. Companies must ensure that they protect their information and that suspicious activity of any kind is reported immediately to the respective authorities.

Despite what many might believe with the increase of security cameras and alarms theft has not dramatically decreased. As technology increases, so does the crook as they constantly try to stay one step ahead. It is particularly difficult for small businesses to protect themselves in the same way as larger firms usually because of the expenses of a great security system setup.

Since small business makes up 99.7% of all businesses the theft among this industry can be larger than most people would assume. On average 80% or business crimes are committed to small businesses. Sometimes the businesses hurt themselves by not fully understanding rules and regulations. The U.S. Patent and Trademark Office indicate that only 15% of small businesses that operate overseas realize that U.S. patents will not be enforced there. Once the information or material leaves U.S. soils there is a high risk of it being counterfeited. The damage of piracy usually cost the Americans 250 billion dollars and a loss of over 750,000 jobs annually.

Not all theft takes places overseas.  Many U.S. small businesses deal with theft on a day to day base.  Last year an astounding 290,625 shoplifters were recorded. This number does not take in to account the number of thieves that got a way or the ones that simply got let off the hook. Thieves were also able to crack into small businesses data stealing merchandise that accumulated up to 3.58 billion dollars.

The number one way small businesses are being robbed is not by customers, but from the actual employees. According to the Association of Certified Fraud Examiners, a study found that businesses with less than 100 employees suffered the biggest fraud damages. The medium amount lost for a small business was around $190,000, while it was $179,000 for businesses with more than 1,000 employees. The study concluded that the more you employ the less threat you have of internal theft taking place. Overseas in the UK, a study indicated that 34% of small businesses have suffered from employee fraud.

So who is the criminal that does the most devastating fraud damage to small business? Believe it or not 70% of the time it is a white, male college graduate. However a lady in Florida was sentenced to 17 months in prison because she had stole over $500,000. The fraud took place over a period of four years from a wife and husband owned small business.

It is also very important to consider where you place your business. Even though some claim that operating in a high crime area gives you advantages over your competitors it also can lead to your downfall. In extremely high crime areas 30% of people will steal from you and 60% will if given an excellent opportunity. The state of Texas is currently ranked 45th in small business crimes committed. In 2006, Forbes named College Station 30th best small town to open a business for security.

It is critical that all small businesses try to prevent crimes as much as possible. Security systems can cost thousands of dollars, but they usually pay for themselves over time. All small businesses should do a detailed background check on employees before they hire them and research their business location. Also it is important to closely monitor the information you are allowing on the web and who is able to gain access to sensitive items. When the economy is in a downward spiral as it has been recently, people began to feel poorer and the chances for theft will significantly increase.


References

“Avoid Identity Theft: A Technology Warning.” Sbtv.com. 2008. Small Business Television Network. 1 Oct 2008 <http://www.sbtv.com/default.asp?segid=1794&gt;

Bates, Timothy. “Crime’s Impact on the Survival Prospects.” 6 Mar. 2007. 14 Oct. 2008 <http://edq.sagepub.com.ezproxy.tamu.edu:2048/cgi/reprint/22/3/228&gt;.

Boies, Schiller. “White collor/business crime.” 14 Oct. 08 <http://www.bsfllp.com&gt;.

Brodkin, Jon. “IT Up Data Security Investment.” Network World 25.35 (2008): 47.

“Competitive Intelligence.” Wikipedia.org. 2008. Wikimedia Foundation, Inc. 1 Oct 2008 <http://en.wikipedia.org/wiki/Competitive_intelligence&gt;

“Corporate Security: Risks of the Insiders Attack.” Devicelock.com. 2008. DeviceLock, Inc. 2 Oct 2008. <http://www.devicelock.com/corporate_security.html&gt;

“Industrial Espionage.” Wikipedia.org. 2008. Wikimedia Foundation, Inc. 1 Oct 2008 <http://en.wikipedia.org/wiki/Industrial_espionage&gt;

“Information Diving.” Wikipedia.org. 2008. Wikimedia Foundation, Inc. 1 Oct 2008 <http://en.wikipedia.org/wiki/Information_diving&gt;

“Managing the Business Risck of Fraud.” Internal Auditors. 7 Oct. 08 <http://www.acfe.com/documents/managing-business-risk.pdf&gt;.

McWhinney, Jim. “Identity Theft: What to Do if It Happen s.” Investopedia.com. 2008.

Nicoles, Megan. “Education, business, crime are top issues.” Business News. 12 Aug. 08. 15 Oct. 08 <http://proquest.umi.com.ezproxy.tamu.edu:2048/pqdweb?did=1520304101&sid=1&fmt=2&clientid=2945&rqt=309&vname=pqd&gt;.

Investopedia ULC. 1 Oct 2008. <http://www.investopedia.com/articles/pf/05/060105.asp&gt;


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: