Top 10 Things Businesses Can Do To Mitigate Risk
1.) Ensure your organization has conducted a secure site assessment within the past 18 months or less to ensure physical assets are adequately protected.
Businesses invest millions of dollars to purchase and maintain physical assets. It is critical to ensure this investment is protected and secure. A secure site assessment not only protects your physical assets but also safeguards employees from the threat of a security breach. A thorough site assessment determines if there are adequate controls protecting access to your company. Access control evaluations include determining if the entrance is restricted to authorized individuals through mechanical means such as locks or keys, or by a human gatekeeper such as a guard or receptionist. Are all other possible entrances to the business secure? Are employees trained not to hold the door open for strangers who can walk in without authorization? Other items that should be analyzed and assessed to determine if physical property is protected include video surveillance systems, fire protection systems, and a survey of workstations and laptops to determine if they are locked down and secure.
An unauthorized person who breaches security can cause physical property damage, steal or even worse – threaten employees with bodily injury or even death. In this day and age, secure site assessments are a critical way to mitigate risk for your business.
2.) Conduct an assessment of your current IT systems to ensure that there are no breaches and no unauthorized users with access.
This item goes hand in hand with a secure site assessment. In addition to the protection of physical property, it is critical to evaluate and protect information technology systems. Examples of vulnerabilities that can lead to computer technology breaches include improper training of employees. When a VA employee improperly took work records that were later stolen from his home, he put at risk the names of 26.5 million discharged veterans’ records including their social security numbers and date of birth. Other areas to be checked include improper storage or transmission of sensitive information, password security, computer viruses, improperly configured or risky software, insecure disposal of hard drives and missing patches or updates. Failure to make sure computer operating systems are properly updated can cause exposure to a security breach. When a major university failed to do this, a hacker took advantage of the known vulnerability on an unpatched server, potentially putting nearly 40,000 student records containing personal identity information at risk.
Information technology assessments include a thorough evaluation of technology and infrastructure to ensure systems are secure and protected.
3.) Conduct an annual breach test. This will keep your staff and team in check!
With items one and two in mind, it is a good idea to conduct an annual “breach test” which attempts to breach your own systems. For example, have a person come to your place of business and see if they can gain access without first being cleared as an “authorized” individual. Also, check your computer information technology to make sure unauthorized users cannot gain access and that the operating system is updated and secure.
An annual “breach test” not only confirms your security systems are in place, but also acts as a way to notify you when procedures have become obsolete and need to be updated to keep up with changes in technology.
4.) Establish checks and balances for financial systems.
Another way to mitigate potential risk is to always be aware of where the company stands financially speaking. This includes checks and balances for Accounts Receivables, Accounts Payables, Bank Reconciliations, and Balance Sheets. It is important to have a clear delineation of responsibilities and payment authority as well as more than one person responsible for reviewing these vital company records. In addition, conduct a semi-annual financial audit to look for red flags and pinpoint and correct anomalies before they can cause devastating financial results.
5.) Thoroughly check your employee “gatekeepers” for adverse issues that may arise during the course of their employment.
“Gatekeepers” are employees in key positions that have authority and responsibility over sensitive information such as financial records. A red flag that could indicate a problem is if this person insists that they are the only person in the organization that can access certain information or conduct business such as make deposits, write checks or transfer money. For this reason, they may even object to taking a vacation or break but it is necessary that they be required to do so in order to adequately audit and assess all records to mitigate risk! Common fraud schemes include stealing cash, skimming, fraudulent disbursements and dishonest inventory taking. Take a look at recent press – several folks in key positions of trust and responsibility have committed serious acts of theft and deception. One example is the former bookkeeper who skimmed more than a half a million dollars between 2006 and 2010 from the Town of Kinderhook and Town of Greensport in New YorkState. She did this by linking the Town of Kinderhook’s general fund account to her personal American Express account and siphoning funds. In Greensport, she used electronically scanned signatures of the town supervisor to forge stolen Greensport town checks. She pled guilty to three counts of grand larceny and computer trespass and was sentenced to three to nine years in prison.
6.) Evaluate your firm’s pre-employment background investigation process to ensure the latest processes are in place for all new hires.
On one hand, employers must comply with Equal Employment Opportunity Commission Guidelines that protect certain groups from being excluded from employment opportunities in certain circumstances, even if criminal activity has been determined. On the other hand, businesses must be vigilant in their hiring practices because there are negligent hiring considerations. Negligent Hire is a legal doctrine that describes the failure to use due care or action when hiring an employee, given the risk provided by the position being offered. If, through a company’s negligence, an employee harms another person, then the company is held liable. In addition, the Fair Credit Reporting Act requires “reasonable procedures to assure maximum possible accuracy of the information.”
Businesses that don’t follow proper procedures could find themselves paying hefty legal fines. For example, in 2012, Pepsi Bottling Group agreed to pay $3.13 Million and provide job offers and training to resolve a charge of race discrimination in an EEOC violation case. Don’t be a statistic! Make sure the latest processes are in place for all new hires!
7.) Obtain a list of all outside vendors that come on site and ensure each employee/representative undergoes and passes a thorough background investigation before allowing them on site.
You routinely conduct pre-employment background checks on your employees but have you thought of the potential risk that outside vendors can pose to your business? The backgrounds of vendors could contain potential liabilities like criminal records. It is important to conduct fully compliant vendor screening and credentials verification for all visitors and providers that work at your location including temporary workers, professional consultants and independent contractors. This can identify liabilities before your company is exposed to unwanted risks.
8.) Perform infinity screening on all employees regularly to ensure no issues have arisen throughout the course of employment
We’ve all heard stories of people in positions of authority and trust being found guilty of fraudulent activity. Recent examples include a pastor who became a prisoner for credit union thefts or the Chairman of the Australian Securities and Investments Commission facing charges of financial irregularities. Most companies know the importance of pre-employment background screenings, but what happens after a person is hired? Can you be certain your employees are reputable, law-abiding citizens? Apparently, the above organizations felt that way, until they learned otherwise. How can you protect your company and the employees that work for you? Infinity Screening or continuous screening is a post-hire background investigation that continuously investigates employees at various intervals, post-hire, throughout the employee’s time with the company. This service allows organizations to gather up-to-date information concerning their employees and assist organizations in their decision making processes regarding promotions and transfers etc. Infinity screening also gives an organization legal recourse if the employee attempts to defraud or manipulate the company.
9.) Educate your team on awareness of issues arising out of workplace complacency and violence.
Workplace violence has become a major threat to businesses and their employees. Complacency develops because most companies have the belief that workplace violence can’t happen to them until it actually happens. It is better to be aware of warning signs, have processes in place to prevent violence before it happens, and provide outlets for employees to vent frustrations before a tragedy takes place. A zero tolerance for harassing behavior can be implemented by a policy to investigate every report. This sends a message that violence will not be tolerated and can prevent a situation from getting worse. Employees can be trained to identify signs of stress and frustration in other employees that could lead to an out of control situation. In addition, an outlet where employees can vent their problems either directly or anonymously can go a long way to deflating a situation before it spirals out of control. It is vital to ensure all team members are trained in best practices and are aware of red flags concerning workplace issues.
10.) Handle separations from employment such as terminations and layoffs with care and caution.
It is important to handle separations from employment with care by consulting with your legal/investigative and outplacement professionals to ensure the least amount of impact is felt by the employee. If the employee feels as though they are treated fairly they will reciprocate and in most cases be professional in separating from employment.
In summary, companies who take the precaution of following these top ten steps should be well-protected from the risk of security breaches, workplace violence, improper hiring litigation and fraudulent activity within their organization. Proper due-diligence based risk mitigation procedures save companies millions of dollars and can potentially saves lives!