Opinions
Security Today

Business Security Aspects of the War on Terrorism

This "new" war - same as the old war? - See Opinions

What has this new war added to the problem of business security?

Large businesses have different problems from small businesses, and usually have security professionals on staff who are charged with identifying and dealing with the various problem areas and scenarios. How well those with offices in the WTC have done remains to be seen. Only with time will we be able to talk about the results of this disaster on the various companies affected.

Smaller businesses typically have not done much about catastrophic risks beyond carrying some insurance - usually not enough, and in some cases completely invalidated by "the fine print" in policies not carefully vetted.

So, what concerns should business owners have regarding this new era of conflict in the world?

There is increased potential for anonymous and massive business disaster - physical damage, employee loss, communications interruption, inventory loss, and customer loss. Even before the WTC there was an increase in computer systems related problems; not directly related (yet) to terrorists, but with a vast impact none the less. These include viruses and more recently, Internet worms. More on them in another article.

Is the increase in anonymous attacks large enough to worry about? Did you worry (or should you have) about the possibilities of anonymous catastrophic disaster to your business before 0911?

How do you protect your business against these possibilities? How much should you worry about them?

How much will protecting your business from them cost you? Will it be worth it to pay these costs, and how can you minimize them?

The real questions should be:

	What are the risks I need to worry about?
	How much should I worry about each?
	How much would it cost if any particular risk came to pass?
	What can I do to lessen the risks?
	What can I do to lessen the impact of any particular risk coming to pass?

There are others - but these are the main ones we'll deal with here.

Identifying the risks in any particular business is one of the hardest things we do - especially if the business is one we've put together personally. It's easy to become blind to events if they might require radical changes in the way we've done things "forever".

Putting Risks in Perspective

In any risk management analysis, the first thing to recognize is that there are some risks that nothing can be done about - so worrying about them is not profitable. They include things that will either completely eliminate the reason or ability to do business; the sun going nova, planet killer asteroids, alien invasion, all-out nuclear war, or anything else that kills or eliminates more than a small percentage of your business assets or market area (neighborhood, city, region, country, planet.) There is nothing you can do about these, so don't worry about them. In many cases, even insurance won't balance these threats since the insurance companies typically word their policies to exclude them (or won't be around themselves to pay out).

In the present (post 0911) situation, this ignoring risks you can't do anything about may not be easy to do. Watching the devastation at "ground zero" in New York and listening to the anthrax scares, conjures up visions of large scale devastation coming to your area, and worries about how you would deal with it.

On a personal note, buckling your seat belt, giving up smoking, exercising, and not drinking and driving are more effective methods of increasing your life expectancy than anything you can do about life threatening acts of terrorism in your daily grind.

But what are the business equivalents of buckling up, etc?

In the realm of physical security:

Ensure that nobody enters or leaves your business premises without being seen and verified.

Purses and wallets are one thing - but I personally know of a company that lost a brand new laptop - still in the box - from the reception area of their Vancouver office.

Create and keep a paper copy of your inventory, accounts receivable and General Ledger each month - keep them outside the office (it's your suppliers' problem to remind you of your accounts payables.) Keep a digital copy too if you use a digital system.

And in the realm of computer systems:

	Keep all your systems up to date with anti-virus software.
	Ensure that all employees know and understand why they shouldn't open an e-mail attachment from anyone unless they are expecting it.
	Guard your LAN against employees dialing directly from their desktops instead of going through the firewall (you do have a firewall, don't you!)
	Keep backups - created frequently and stored off-site.

So... what are the risks I do need to worry about?

Here you need to list the risks you must deal with in doing business on a daily basis:

	Theft including break and enter as well as employee caused
	fire, flood, and other natural and typical damaging events
	theft of company secrets, plans, processes, customer lists, trade secrets, sales information, accounting information, etc.
	injury, sickness or death on company premises or while on company business caused by any act of commission or omission of employees or trades people including casual labor (which may not be covered by your normal insurance for a variety of reasons)

Add to these the new (or newly recognized) risks caused by terrorism:

	complete business loss due to terrorist act
	losing one or more employees with no warning
	losing one or more major customers due to terrorist act
	losing your main and/or subsidiary premises with no warning
	losing access to a critical facility for a period of time (think mail room but applies to all types of facilities)
	losing critical accounting systems and/or management systems or information
	interruption of business due to security scares
	rapid evacuation of premises (bomb scare) leaving valuables exposed to theft

How much should I worry about each?

How much you should worry about each of the above (and other risks) varies inversely with what it would do to your business.

If you own several businesses in many different locations, the loss of one might not be perceived as disastrous. On the other hand, if you are a hands-on person, chances are that a disastrous business loss will involve your death as well, so you might mitigate the possibility of such an event with some business loss insurance but more life insurance for your dependents.

How much would it cost if any particular risk came to pass?

Here is where you need to do some real soul searching about your business. Don't just think about the cost of the assets, or think that everything will be gone.

Each of the various risks has a range of levels. As an example, let's take the case of loss of some or all of your computer systems at a particular location.

If your employees use their systems stand-alone mostly (i.e. there is no central server with your word processing files and accounting files on it - they instead exist on whomever's system creates them) then you must worry about each individually. The receptionist's might have schedules on it as well as some in-process documents - but it is likely that completed documents are printed and a paper copy is stored in the file cabinets. In this case, fireproof file cabinets will be more useful than fancy backup procedures.

On the other hand if you have one or more central servers that you rely upon for a more "paperless" office, off-site backups of the information are valuable - the more frequent the better.

If you lose your accounting system, data and hardware:

how long will it take to replace the hardware?

how long will it take to restore the backup?

how long will it take to re-enter the information since the backup was done?

how much will it cost if you lose the source documents used between the time the backup was done and the time of the disaster?

how much will it cost per day in lost sales?

how much will it cost per day in interest on uncollected accounts receivable and unbilled sales?

What can I do to lessen the risks?

The nice thing about technology today is that it makes the problem of creating a less risky business continuance environment much easier and less costly than in the past.

Today, it is possible to have people working with source documents and entering them into systems which are physically in a separate office - across the city or across the country. Keeping systems in 2 locations separated by hundreds and thousands of miles, in synchronization either in real time or periodically throughout the day, is within the budget of even the smallest company.

This lessens the impact of losing the documents, a system or a site. Geographic decentralization is practical. So is using an off-site business continuance provider that maintains "warm" or "hot" backup systems.

In the case of very small businesses, it is practical and reasonable to have a system at home which is a mirror (albeit maybe slower and only single user) of the business' main system.

What can I do to lessen the impact of any particular risk coming to pass?

In the case of the above example (loss of the accounting data and system):

	use software that will run on commodity hardware.
	make and keep a backup of the whole system, not just the data, every time any major change is made to the software. Keep at least 2 generations of such backups off-site in secure storage (preferably keep every major generation "forever")
	make and keep data backups every major accounting period end. Keep them for at least 3 accounting periods, (and preferably for at least a fiscal year)
	use at least 3 separate sets of backup media to make data backups daily - and keep the latest one off-site at all times.
	batch daily input documents and store them in a fireproof cabinet except when they are not actually being entered until the data is backed up off-site (daily, right!)

As with the the war on drugs, it appears that terrorism is not likely to stop in the near future. Only by managing the risks will we be able to deal with the threat and the reality while maintaining our sanity and business leadership.

richard