How to Conduct a Small Business Security Audit

17 Sep 2016

Sheza Gary

Sheza Gary has been a project strategist since 2009 and also involved in the launching of startups and tech companies in New York for over five years. She has a keen interest in writing her own experiences about business plans and upcoming business supporting technologies.

Is your small business secure? This question addresses multiple sections of your company, including your assets, your IT security and more. Even the best companies miss things every now and then when auditing, which is why you should regularly perform your own security audit. Performing a security audit helps you to learn about your own business and about small business vulnerabilities in general.

Below are eight ways to prepare for a thorough security audit:

Define your audit

You want to make certain your audit is as thorough as possible, and that means sitting down to create a list of everything that needs to be tested. List all of your assets, both tangible and intangible. Tangible assets include all of your computer equipment, your production machinery and anything else physical your business owns. Deciphering your intangible assets can be more difficult. For that reason, you may want to define your security perimeter, which basically divides your assets into the things you’ll audit and the things you will not.

Define your threats

Next, make a list of things that can potentially harm your assets. Secure your computer network, including hackers, viruses and malware. It also includes your employees, if they haven’t been trained and are actively using good network procedures. If one employee uses a weak password, it is all that stands between your assets and harm.

Other threats include physical damage, a lack of backup, protection or lack of protection for sensitive customer information and email spam. Anything that could potentially leave your business unable to function or provide service as usual is a threat.

Learn from the past and consider future threats

You have to look at more than just the current threats. You also need to look at your past audits and security issues to get an idea of what you’ve faced in the past. Using this, you can get an idea of what likely challenges you may face today. You can also use this information to extrapolate some of the challenges you may face in the future.

Make a list of all of the threats your business has faced in the past and how you responded to those threats. While some of these may have been a one-time occurrence, it never hurts to check your current system to make certain you are better prepared for this threat today. Sometimes, these older threats are still an issue, such as a fire in the building, which can occur at any time, so you always need to be prepared.

Create a priority list

While all of your assets are valuable, some are more valuable than others. Once you’ve completed your assets and threats lists, you can prioritize the assets you most want to protect and make certain you address the threats you believe present the largest risk to you. You do want to take into account how likely it is that you’ll face that threat. Secure customer database hacking is a likely threat, but a business being hit by a tornado and losing all of its assets may be fairly minor. Address the most harmful threats that are the most likely to happen.


Also on StartupNation.com: 5 Security Measures Your Business Needs


Create a control list

One of the largest threats to any business comes from within: too many people with access to too much information. Employees shouldn’t be able to access your most sensitive information unless they need it to perform their jobs. By creating an access list, you can help prevent loss of information by limiting how many access points to that information exist.

Control lists can give you an idea of when an account has been hacked and when the user has accidentally tried to access something they should not. Accidents like that do happen, but if access is requested over and over, it’s a good sign that the account has been compromised.

Add intrusion protection

Now that you have this list, it’s time to create an intrusion prevention system that monitors your network and alerts the appropriate personnel if an intruder is detected. Use an intrusion prevention system, such as Snort, that offers you round-the-clock protection from hackers and others who would steal or corrupt your sensitive information. You also want to set up things such as second-generation firewalls and advanced, updated antivirus and anti-malware programs.

Protect your email

Your email system is often one of the easiest avenues into your network. Billions of spam emails are sent every day, many of which attempt to get an employee to click a link or download a program. Once either is done, your network’s security is compromised. You also have to beware of sending sensitive emails out into the world without the proper encryption. Adding email encryption and teaching your employees correct email procedure and protocol is vital to keeping your system safe. Employees need to understand basic security, such as not opening attachments or strange emails.

Block physical intrusions

While most threats to a business today come from hackers and viruses, there’s always the chance that someone can physically attempt to enter your office and steal your valuable information. They may try to walk away with a laptop, download data to a flash drive or take physical files. To protect against these threats, you should install a security system at your office and make use of encryption on your laptops and portable hard drives. Don’t forget to install this type of security software on your tablets and your company smartphones, too.

Once you’ve completed your security audit, you’ll have a much better idea where your business stands as far as security, threats and risks go. The next step, of course, is addressing any vulnerabilities that were found after the audit.

Related Posts

Security Measures
5 Commonly Skipped Security Measures Your Company Can’t Ignore