A Security Plan is designed to reduce the risk of various security incidents such as:
- Computer system or network hacking
- Information theft
- Employee Fraud (e.g. invoicing fraud, staff receiving kick- backs, embezzlement)
- Contractor theft/fraud
- Theft (via internal or external perpetrators)
- Reputational damage due to employee actions
- Staff receiving kick-backs
- Malicious damage (via internal or external perpetrators)
- Intellectual Property theft
- Criminal activity in the workplace
- Corporate espionage
- Sabotage of plant or equipment
The impact of such security incident is not always financial. It may also be reputational, operational, or result in costly litigation.
Any businesses at risk of incidents described above could benefit from implementing a security plan. Security measures should be commensurate to risk so conducting a risk assessment and understanding the business or organisation’s risk appetite will assist with tailoring appropriate security measures.
Holistic Security is security covering all facets of a business using a pragmatic and balanced approach. This includes measures in consideration of information security, personnel security, IT Security, physical security, governance and trusted insider threats. As an example, your security risks are not being effectively managed and you are not achieving holistic security if:
- You have a high-end security system in place, however your personnel security is poor, you haven’t completed adequate background checks, and you have criminals operating the system;
- You install expensive, state of the art security doors, however security culture is poor and staff are regularly leaving them unlocked;
- You have fantastic IT security measures in place however your staff do not follow IT security policy and their passwords are written on post-it notes left around the office; or
- You have strong security policies in place however staff are not trained in these policies and enforcement is non-existent.
To sum it up, holistic security covers all aspects of business security ensuring there are no gaps and it is the most effective way to protect a business.
A security plan details security risks and lists preventive and corrective controls (security measures) which a business has or aims to implement to reduce risk and provide protection from security incidents such as theft, fraud, sabotage, hacking, or other malicious or criminal activity.
Security measures are more than simply guards, fences, gates, and CCTV cameras. A detailed security plan takes a holistic approach to security and details not only physical security measures but also considers, IT Security, personnel security, information security, and governance.
Many businesses focus on external security threats and forget that internal threats posed by trusted insiders such as employees or contractors may in fact be a far greater threat. A good security plan also includes measures to guard against trusted insider threats.
A security plan should be informed by a security risk assessment which ensures that risks specific to the business or organisation are appropriately addressed. Identifying relevant information and assets that require protection is crucial to the process. A security risk assessment documents security risks, likelihood, and consequence of these risks occurring and delivers a risk rating. Current measures are examined, and a security plan can then be developed in consideration of the business or organisation’s risk appetite and threat profile. Security measures should be commensurate to risk and appropriate for the individual business.
The security risk assessment process ensures that key assets and information requiring protection are identified. Without understanding the risk, it is difficult to determine what protection is required. The risk assessment process also establishes the business risk appetite, examines threats, and assesses likelihood and consequence of risks occurring. The risk assessment then assists with the development of a tailored security plan and may shape decision making in terms of finance and business priorities.
A strong security culture is imperative to reducing security risks within a business or organisation. A business with a strong security culture will have staff who understand security policy and procedures, understand threats to the business, and will willingly support compliance with security policies and procedures. Suspicious behaviour or behaviour not aligned with the business Code of Conduct will not be tolerated and incidents will be reported and investigated without delay. Senior management will lead with a top down approach and the risk of internal fraud or malicious activity will be low. If an incident does occur, it is more likely to be identified and reported without delay. Conversely, in a business with poor security culture, compliance with security related policies and procedures (if they exist) will be poor, the risks of incidents occurring will be higher, and if an incident does occur it will more likely go undetected, or worse still be detected yet unreported.
Employees all play a role in protecting the business therefore employee trustworthiness, and training and awareness are key elements to building a strong security culture. An employee report or whistleblowing hotline is often the way in which a security incident such as theft or internal fraud is identified.
A “trusted insider” is a current or former employee or contractor who has legitimate access to information, technology, assets, premises or intellectual property owned by a business or organisation.
The insider threat is simply the threat posed by the trusted insider. This may include incidents of, unauthorised access; use or disclosure of confidential information; theft; sabotage; fraud; or other malicious activity which results in potential or actual harm to a business.
Trusted insiders can pose a threat intentionally, unintentionally (such as inadvertently releasing valuable confidential information), or under duress (for example blackmail). Business risk assessments should consider all forms of trusted insider activity when assessing risks.
Generally speaking, trusted insiders are motivated by five key factors: Coercion, revenge, ideology, money, and ego.
A trusted insider threat mitigation strategy details specific measures designed to reduce risk and protect a business against trusted insider threats. Given employees and contractors know and understand a business best, they often also understand where the business vulnerabilities lie and have access to information and assets otherwise protected from the general public. Fraudulent activity can often be covered up and unless specific measures are in place to guard against insider threats, malicious activity can be difficult to detect.
Conducting a risk assessment, having a security plan in place, and having a clear and robust trusted insider threat mitigation strategy, will significantly reduce the risk associated with malicious insider activity. See our case studies for examples of malicious activity and controls which may be implemented to protect a business.
Penetration testing is an exercise designed to test whether the security measures implemented to mitigate a specific risk are effective. Attempts are made to exploit vulnerabilities, perceived vulnerabilities, or identify potential flaws in the security plan.
Security training and awareness is essential to supporting a strong security culture. Key outcomes of a training and awareness strategy should be to ensure that employees understand security policies and procedures, understand threats to the business, understand what the consequences of non-compliance are, and know how to recognise and report incidents or suspicious activity. Businesses with a strong security culture and good training and awareness in place, will have employees who want to comply with security practices, and therefore are able to mitigate security risks much more effectively.
The Business Protection membership has been designed for businesses who are keen to take ownership of their security risks and who want to protect their business. The online Business Protection Kit can be used by businesses in any jurisdiction or country.
The Business Protection membership is not suitable for:
- businesses looking to address acts of terrorism;
- businesses that carry high security risks; or
- businesses that have been subject to a specific threat.
In these cases, contact us for tailored security advice.
The tools have been developed and saved in the following formats: Microsoft word, excel, PDF, png. and jpeg. And the awareness videos are accessed via youtube. Very basic programs required.
If you don’t believe that your membership offers you tools and solutions to protect your business in any way, we offer a full 30 day money back guarantee.
The Business Protection membership grants you access to a membership forum where you can post questions online. If you still require further assistance with implementation, add on security consulting services are available. See our Security Consulting page for further information or contact us to discuss your requirements.
Yes, the templates are all in an editable form so you can use your own branding and align with your own business style guide. You can also cut and paste policies into an employee handbook or make whatever changes suit your individual business requirements.
Yes, all of the tools including, documents, templates, registers, and the security awareness videos are all available for immediate download once you enrol in a membership.
Unfortunately not at this stage. Our membership has been specifically designed to offer a holistic approach to security. Many of the documents and tools have been put together as extra free bonuses to assist with implementation of your Security Plan. Businesses may not use all of the tools provided. Feel free to contact us direct about what you need and we’ll see what we can offer.