Protecting Your Business Against Fraud and Theft

Posted by: cworrall on Friday, December 21st, 2007

I found an interest blog (well, actually he found me) that reminded me how important security is to small business. It’s called the Con Man’s Blog and he posted a specific blog for small businesses: Con Man Focus–Finding Small Business Easier Marks which discusses why small business are targeted for crime. Although many of the posts are aimed at individuals, it is a site worth taking a look at if you are worried about identity theft or being conned.

When I first co-founded a business many years ago, we did not spend much time thinking about security. We were too busy trying to get everything else done. This changed when we raised money from venture capitalists who insisted that our security be increased to protect their investment.

One of the VCs gave me a book called Security Transformation: Digital Defense Strategies to Protect your Company’s Reputation and Market Share. It was published in 2001, so it’s a little dated, but it does provide some understanding of where your company may be vulnerable to digital attack.

A more recent book, Scams & Swindles: Phishing, Spoofing, ID Theft, Nigerian Advance Schemes Investment Frauds: How to Recognize And Avoid Rip-Offs In The Internet Age, gives a more updated view of digital scams, but is not particularly focused on business, particularly high-tech, high-growth business which has its own set of security issues.

In general, a few tips for reducing threats:

Check out your employees before you hire them, check references and do a background check. Like most preventative measures, it is less expensive than dealing with the consequences, but it does take time.
Limit access that employees have to data and to your server. If your server room is locked, but the person in charge of the backups keeps the key in his desk in his cubicle - your server is not secure! If your HR person has access to all the digital employee files, but keeps his or her password taped to the side of the computer, that data is not secure.
Require that your employees use strong passwords and changed them regularly. This will cause much grousing, but it’s your business and their jobs, so they will have to live with it.
Backup your data regularly. You should back up your data daily. Every week you should have a week end backup that is taken off site and stored. Annually backup your data and keep it in a safe deposit box or with your attorney.
Have virus protection software and digital intrusion detection software installed and reviewed regularly. If you outsource your IT, the company providing these services should be able to provide this for you.
Lock your doors, even during business hours. This is why Home Depot sells those wireless door bells. They are cheap. I am always amazed when I can walk into a business with no receptionist and wander the halls freely.
Get security cameras. This is both security for your business and for your employees.
Assign one of your senior management as security officer. This person is in charge of understanding possible threats and determining the best prevention. He or she should also receive training in what to do in case of an intrusion, digital or otherwise.

Another area of security is internal fraud, specifically employees stealing from you. As the security officer of one previous company, I was required to take a class on internal fraud. The characteristics of the offender tended to be (1) male, (2) in his 20s, (3) college educated, and (4) had never committed a crime before. Not to say that a 50 year old female, high school drop-out criminal will not commit the crime, but statistically those were the characteristics that came up most often.

Usually what happens is the perpetrator is in a bind, can’t make a car payment, rent, doctor’s bill, and he starts with just “borrowing” money or items to pawn from the company. He has full intentions of “paying it back.” But the reason he got stuck in the first place still exists, so he have to steal more to cover up the first crime, and on and on it goes.

To prevent this type of fraud, have strong accounting policies and procedures. Have revenue checks come to a PO Box. Have a different person sign the checks than the one who creates them. Allow only one person to do the ordering for the company and keep an inventory of what each employee has. For instance, memory sticks disappear really easily. Yes, an occasional one gets lost, but some one who loses them constantly may have a problem.

Ask your accountant for assistance is creating these policies and procedures and have your books audited or reviewed at least annually. A useful book that deals with the topic is Policies and Procedures to Prevent Fraud and Embezzlement: Guidance, Internal Controls, and Investigation.

Although it is possible to go overboard on security, I know very few companies that actually do and most don’t even come close to basic security. Make sure your company is not one that gets caught saying “but she seemed so trustworthy, I can’t believe that she stole from us.”

Topics: Accounting, Corporate, General