The perfect 10: resilience for SMEs
In the UK, 5.7 million businesses have fewer than 250 employees. It can be key to their survival for these Small and Medium Enterprises (SMEs) to create coherent and effective security and resilience strategies.
What are the top tips for smaller businesses to be more resilient to threats to their people, property and assets?
-
Understanding potential threats
The starting point should be to understand the key potential threats to your organisation. It’s difficult to put measures in place that limit the exposure to risk unless the likely sources of potential threat are identified. City centre locations, or those close to major public infrastructure such as travel hubs, hospitals or universities, are likely to be at higher risk of attack than others, for example, if only because your business might get caught up in an attack, fire or explosion from a neighbouring building.
Know your neighbours and their potential threats because they could end up being your threats too. If your organisation is involved in, or supplies products or services to organisations involved in, potentially contentious activities, including financial services, oil and gas, meat production, animal testing, arms procurement, tobacco, gambling, then you may be at higher risk than others. Understand where you sit on the threat scale and you can then plan accordingly.
-
Carry out a comprehensive risk and threat assessment
Once you have a general idea of your threats, carry out a comprehensive risk and threat assessment. Undertaking an in-depth analysis of your activities and facilities will help you to identify the most appropriate security solutions.
Do you store a large number of high value items, for example, which would seriously threaten the continuity of your business if they were to be stolen?
Do you have sensitive manufacturing or IT equipment which needs to be kept secure? Are you in a multi-tenanted building?
Work out what’s the worst thing that could happen to your business and plan accordingly.
Also, be aware of what’s happening in the wider world and understand whether any events have safety implications for your organisation. For example, if you’re in the meat production industry and there are attacks on organisations in this sector, you may need to change your strategy and update policies.
-
Put together a security strategy
Once you’ve identified your threats, then put plans in place to mitigate them. You may prefer to use a security consultant to help you, but it’s perfectly possible for a small business to research the various options and create a coherent and effective security strategy. You should consider a mixture of physical security – fences, gates, doors, windows – combined with security personnel – officers and even dogs – and electronic security – cameras, sensors, alarms etc. An integrated approach is the most cost-effective and most powerful.
-
Don’t forget cyber security
Many organisations find themselves under constant barrage from hackers or phishing scams, including online systems being compromised by people purporting to be company directors extracting cash or information from employees. Hackers have even targeted building management systems and used them to access an organisation’s network. Work with your IT colleagues to devise a strategy for dealing with cyber attacks and include it in your physical security strategy. They should be completely integrated to be successful.
-
Be discerning when procuring advice and services
If you seek advice, look for professional credentials such as the Chartered Security Professional designation, and/or membership of the Security Institute, or Association of Security Consultants. Anyone can call themselves a security consultant, so ask for references and follow them up. Likewise, when looking to employ an external security service, only use companies that are designated as approved contractors by the Security Industry Authority (SIA) and make sure that their people are licensed.
-
Allocate the necessary budget
Make sure that there is money allocated to support the strategy. Some of the investment can be categorised as Capex and some as Opex, which may help mid-year expenditure. Ensure that security has a protected place in the budget in future years and always build in contingency – security needs have a way of changing quickly and you don’t want to be arguing about investment in the middle of a disaster.
-
Determine who is responsible
Irrespective of the size of an organisation, someone has to take overall responsibility for security. It might be the MD’s PA, the office manager or the FD, but the person needs to know they’re in charge. This is particularly important in the event of a fire, robbery, explosion or other emergency, as a designated person will need to manage the crisis and make sure that the necessary safety procedures are implemented correctly.
-
Educate internal stakeholders
Everyone thinks that security is someone else’s responsibility, so it’s important to educate everyone in the organisation about their personal role in keeping people and property safe. It could be as simple, but crucial, as making sure windows and doors are locked or setting the alarm. Or people may have more complex roles in the event of an emergency. Depending on your specific risks, you may want to educate people on how to identify and respond to potential dangers. This will also give them confidence in your organisation’s ability to manage threats appropriately.
-
Everyone needs good neighbours
It is surprising how many businesses don’t communicate with their neighbours. Sharing concerns and passing on information can often help prevent unwanted and antisocial activity, as well as help to combat bigger threats, so make sure that those in a particular area are aware of any incidents that might affect them. This includes liaising with the police and being aware of local crime trends.
-
Don’t file your security strategy away
Once you’ve completed your security strategy, secured the budget and introduced the new way of doing things, it can be tempting to congratulate yourself on a job well done and put the security strategy in the filing cabinet. But just as you test a fire alarm on a weekly basis, you should regularly test your security strategy. Consider using a mystery shopper to test out your security procedures and see if they can gain access to your building. Don’t warn staff or your security partner first, so you can get a realistic picture of how good your systems are. Continually review what you do and how you do it and any potential intruders or attackers will move on to softer targets.
Mike Bullock CEO, Corps Security
See also:
Cyber security for Small and Medium Enterprises (SMEs)
A strategic approach to organisational resilience
