We, as Maryland Attorneys and investigators, are frequently asked by Maryland Small Business to conduct security audits. The most frequent questions from small business owners is: “what can I do?” and “what kind of difference will it make?” Here are our top ten theft and fraud prevention tips for your Maryland Small Business and how it will help:
1) Secure your business premises with locks and alarms.
Alarm systems are effective deterrents to criminals thinking of breaking into your business, including those intent on identity theft – especially alarm systems that are monitored by a security company. Make sure external doors have deadbolts and that exposed windows are secured with security film, bars, screens or shatter-proof glass.
2) Put your business records under lock and key.
Store your physical business records, such as customer records and other data on paper, in locking filing cabinets – and lock the filing cabinets at night, or at those times during the day that you and your staff will not be “supervising” access (such as lunch time). Put copies of system and database backups and important business data in your safe (or in your security deposit box at the bank if you don’t have an on-site safe).
3) Shred, shred, shred.
Business records of any kind should never just be tossed into the trash or recycling bin where they can become a bonanza for criminals (and employees) intent on fraud and theft; instead, all business records that you no longer have a use for should be shredded. Businesses that operate out of small and home offices can buy inexpensive shredders at any office supply store; for businesses with volumes of material to be disposed of, there are shredding services that will come and do what needs to be done.
Pay special attention to the mail, a favorite source for identity theft. Anything that has your name and address on it should be shredded, and that includes most bills.
4) Be cautious on the phone.
It’s easy for someone to pretend to be someone they’re not on the phone. Whether it’s someone who wants personal information on a particular customer, or someone who claims they need to verify one of your personal accounts, don’t give out information over the phone unless you can positively confirm the caller’s identity.
“Information thieves and stalkers tell authorities over and over how easily they were able to obtain all sorts of valuable information simply by calling small business owners or personnel departments and asking. Posing as government agencies or credit grantors or health insurance providers, these thieves have found that a well-crafted, believable story can often get past the best locking file cabinets or password-protected computers,” warns the Better Business Bureau.
5) Limit access to your computers.
Your computer network needs to be password protected, of course, so that anyone who wanders through your office can’t just access your network. But you also need to consider issues of internal network access. Does every employee need to be able to access programs or databases that may contain sensitive information? Password protect these, too, and grant access on a “need-to-know” basis to help cut down on small business fraud and theft.
6) Protect your computer from hackers.
Hacking into company systems and databases appears to have become a favorite fraud or theft technique – perhaps because in so many cases, it’s so easy. Your computer network needs to be protected by firewalls, which help keep out intruders by shutting out unauthorized people and letting others go only to the areas they have privileges to use. You can purchase firewalls at any computer store (or online). Another option for small or home businesses is to purchase and install a small (four to eight port) router. These often have firewall protection capability.
If you’re running Windows operating systems, it’s also important that you keep your operating system updated, installing the various patches as they come out. Often these patches are fixes for security holes.
7) Be aware the Internet is a dangerous place.
Ordering something online using a credit card is not dangerous, as long as you are placing your order through a secure site. However, there are other dangers, such as Spyware and viruses that attempt to download automatically when you or your employees visit certain websites. Make sure that the “Internet Options” in the browser of each computer in your office are set to higher settings than the default.
And if your company has a website, be careful as to what kind of information you post on your site and how. If you are going to place sensitive information online, (something you should be very cautious about), such as financial data or customer databases, it needs to be password protected and encrypted.
8 ) Avoid broadcasting information.
The other day I made a purchase at a computer store. The associate asked me for my phone number and popped up all my personal information on a terminal in front of him – right in plain view of five other customers! I was tempted to ask him if he wanted to read it all off out loud to make it even easier for them all to remember it.
This sort of cavalier sharing of personal information, which makes identity theft so easy, has to stop. Train your employees to be sensitive to customer information issues, making sure they keep customer information private when they’re dealing with individual customers. Turning computer screens so that they can’t be viewed by anyone except the operator is a simple thing. So are practices such as not repeating customer information out loud or not leaving files with customer information lying open on counters.
9) Create and enforce a company wide security policy.
The purpose of your security policy is to educate your employees about issues such as identity theft, fraud, and data protection. It should include information on email policies (such as what email filters are in place and how to deal with suspicious email), computer network access, Internet use policies (such as how to increase browser security settings and safe practices, such as disconnecting from the ‘Net when they’re done using it), customer information protection strategies, and how to report incidents or violations. In other words, a manual of the issues involved with security and threats such as identity theft and what to do about them.
10) Disconnect ex-employees immediately.
When employees no longer work for your business, you need to be sure that their access to your computer network and company data is cut off immediately. See Employee Termination from an IT Perspective.
Ongoing Vigilance is Necessary for Theft Prevention
Following the steps in this article will give your business an excellent foundation for theft and fraud prevention. The last thing you have to do to make your small business a hard target for thieves is perhaps the hardest – being continually vigilant and staying abreast of the latest scams thieves are using to steal information. Remember, if you are the victim of a theft or fraud, contact your Maryland Attorney for comprehensive help.