A guide to security audits for small businesses

Navigating the treacherous terrain of the COVID-19 pandemic will no doubt be a struggle for many small businesses.

With physical security risks increasing during the recent lockdown, businesses are now faced with the additional burden of protecting sensitive online data against breaches as employees are advised to work from home. Security audits can identify flaws in your systems and ensure data as well as your physical premises is protected against threats.

security audits for small businessesWith cybercrime causing losses of over £17.4 billion and physical break-ins adding further losses of £8.8 billion, how can businesses guarantee security and guard against threats? They need security audits.

Back to security basics

Before businesses can begin protecting themselves against the risks which threaten their confidential data and cause costly damage, they need to understand what they are.

The first step is to conduct a risk assessment – breaking down every possible threat to the business, from physical security hazards in the office to online threats. Then, the focus can turn to developing targeted solutions.

This can be made simpler by splitting the assessment into specific assets. These may include software, sensitive company data, plus physical equipment like computers and furniture.

With SMEs, the onus of security is often on the individual employee – as opposed to having access to a dedicated health and safety team. It only takes an individual to cut corners or ignore their responsibilities for the business to suffer a costly breach.

Let employees know you understand they’re busy with their daily responsibilities but it’s important for the business that the whole team play their part.

In some cases, offering small rewards like employee recognition emails or vouchers for those who consistently go above and beyond provides a boost in incentive to take extra care.

Protecting the workplace

With the average small business break-in resulting in around £2,000 in lost property, it pays to take precautions to secure the workplace.

Make sure any potential break-in spots are monitored by security technology like alarms or cameras. Installing these systems somewhere visible deters potential intruders from trying their luck.

All exterior doors should be alarmed – including the office door in a shared building, even if the main building door is also alarmed. Consider fitting window alarms, too, if the office is on a low floor.

For added deterrence, look at installing a keypad entry system or swipe entry with lanyards and identity cards, to prevent unwanted visitors.

An office security audit should also include identifying all trip hazards and falling object risks, plus electrical and flooding hazards. It’s also recommended to keep valuable equipment and documents stored in lockable containers overnight.

This year, the coronavirus pandemic brings its own additional risks to employee health and safety.

Those looking to welcome employees back to the office must remain compliant with new hygiene and social distancing guidelines. For businesses with over five employees, the government has put together a specialised risk assessment to ensure a COVID-19 compliant workplace.

The main measures involve spacing out employees, making sure handwash stations are accessible and staggering shifts to avoid contact. Businesses can also look at implementing one-way systems, screens, and adhering to mask-wearing and social-distancing regulations, to shield against any community spread.

The online threat

The cost of cyberattacks to UK businesses is estimated to be around £34 million a year – in the theft of intellectual property and the cost of recovering from attacks.

With employees around the world now encouraged to work from home, and the burden of responsibility to stay safe placed on them, the risks are sure to increase.

For businesses, the solution should be a mix of technical measures and educating employees on cybersecurity best practices.

This may include rolling out multi-factor authentication technology across the network. Instead of logging on with just a single password, employees are prompted for extra credentials to identify them – typically a one-off code sent to their phone. So, even if a password is stolen, the attacker is still unable to access the company network.

It’s also important to make sure you have the basics covered. With unprotected personal devices being an entry point for criminals, make sure they have up-to-date anti-virus and firewall software installed, to safeguard against threats.

A virtual private network (VPN) is also a cheap and effective way of securing your network.

Attackers able to breach just one employee’s system are often able to move through the entire network, so it’s crucial for everyone to play their part in keeping the company compliant.

Look ahead

Security isn’t a one-time investment – it needs to be updated constantly to adapt to new threats. Which is why you need security audits is plural. Businesses should undergo a security audit at least twice a year to remain compliant.

All information gathered from the risk assessment should be recorded to be used as a framework for ongoing annual security audits. Log each hazard, along with the status of the risk and measures taken to prevent it.

The goal is to create a clear and structured audit process, which is intuitive to follow if personnel changes occur, or in an emergency. It is recommended to include a priority checklist with the most significant risks, along with key dates for renewals or updates of key equipment.

Keep the file updated year-round with any information which may impact business or employee security. Any structural or interior changes to the office should be recorded, along with new equipment and any significant IT updates. Include key contacts and manufacturer information in the notes, to speed the process up in an emergency.


By Izzy Schulman, director at Keys 4 U