Don’t you think your small business is at risk? Think again. Whether you realize it or not, your business has valuable information and assets that may not be protected at this time. Your company may have confidential customer information, exclusive business knowledge, or simple insider knowledge, and you don’t want to expose this information to criminals or competitors. Losing this information can have a devastating impact on your business. Although commercial insurance is an important part of your protection, it cannot protect customers from identity theft or your business from unethical employees or competitors.
Regardless of its size, your business needs a safety and recovery plan to determine the risks you face, help prevent them, and develop a plan to deal with the most likely types of losses you may encounter. Your plan should also consider the physical and virtual aspects of the business.
First consider the types of risks that your business may be vulnerable to. What if your business information is lost or stolen? Do you have customer files or records, tax receipts, bank statements, business plans, customer work products?
Next, consider the physical aspects of the business that may be vulnerable. Have unique office equipment, inventory, computers or specific business tools?
Finally, let’s see how you do business. Do you trust technology, the Internet, or employees with unique skills? Does your business model rely on repeatable processes unique to your business?
Now, think about what will happen to your business if these parts of your business are lost, destroyed or stolen. If you lose a customer’s file, can you continue? If a customer’s personal information is leaked, can the customer sue you? Will you be the object of negative publicity? Can your competitors benefit from accessing this information? What if you can’t access email for a day? What if that key employee suddenly leaves to change to another job? What if your office space catches fire or floods?
Your security and recovery plan should implement protective measures, policies, and procedures to prevent some of these risks and the possibility of negatively impacting your business. Although most small businesses only have a lock on the front door, physical access to the building is relatively easy to control. Should I consider closing the file drawer? Is inventory controlled? Is it accessible to all employees, even if it is not part of their job? Can a dissatisfied or lay off employee return to the workplace with an extra copy of the key after work?
Your plan should also consider how to protect the virtual part of your business. Do you have backup copies of important files? Do you have a strong password, account number, and other passwords? Is your computer protected by viruses and firewalls? It is the last one? Have you established an email and internet usage policy to protect your employees from harassment allegations?
What about remote employees or employees who take work home? In today’s highly mobile environment, can you now easily access important business information outside of your physical control? Do your employees know how to protect laptops, cell phones, flash drives, and even printed business information after leaving their workspace? What happens if a laptop is stolen from a worker’s car, home, or hotel room? Do you have a data backup on your laptop? What if your employees access your information through the cafeteria WiFi? How do you know if your customers and your business are protected?
Finally, your safety and recovery plan should consider how you will deal with the most likely loss. For example, if the computer that contains all of your sales information fails, you may want to plan to restore that information from backup right away. Where are backup tapes or disks stored? Who can access it, and more importantly, who knows how to restore the backup? If your office floods, how fast can you move? Can some employees temporarily work from home or other remote locations? If customer information is stolen, do you have contact information?
Most small business owners may have already taken the first step, like buying insurance and closing the front door. Unfortunately, few people take the time to truly understand the potential risks to their business.
Take the time now to make at least one informal plan, which will go a long way in the event of an actual disaster or other loss. Even the best plan obviously cannot withstand all disasters, but once a disaster strikes, it can certainly reduce the impact on your business.
Aubrey Jones is the President and Founder of Riverbank Consulting, Inc. Since 1996, he has been committed to protecting the online banking clients of one of America’s leading financial institutions, including as a risk manager.