You get an alarm system for your small business, you've purchased the right amount of insurance, and surveillance cameras have been installed. You figure you've covered all the bases in terms of security, right?
Not so fast. Technology, while improving the efficiency and ease of business transactions, has also opened doors to new security risks. Smart Answers columnist Karen E. Klein talked recently with two tech security experts about the steps and measures entrepreneurs should be taking to protect what they have built up. Bob Brennan, CEO of Connected, discussed information-protection and Jacint Tumacder, QuickBooks products specialist for Intuit, talked about combating employee fraud. What follows are edited excerpts of that conversation:
Q: What is "information protection" and why should small business owners worry about it?
Brennan: Information is the currency of today's companies -- small and large. It's the DNA without which the company cannot function. It's a core asset -- just like cash, or buildings, or equipment -- and it needs to be protected as such.
In a small business, protecting information like customer lists, proposals, presentations, price lists, sales records, accounts receivable files, and financial data is especially important because the information rests in so few places that a point of failure anywhere can have a dramatic impact on the company's productivity.
Q: When company records were stored on paper in file drawers, fire and disaster insurance protected them. But now that those records are computerized, aren't they safer? What kind of protection do they need?
Brennan: Losing computerized information is extremely common, unfortunately. Even if the company stores its core data on an Internet server, most of the daily work -- up to 60% -- is done by salespeople or accounts-receivable clerks on laptops, home computers, and local workstations that are not being backed up as they should.
Hard-disk crashes, viruses, accidental deletions, PCs being lost, stolen, or destroyed -- any of those circumstances can mean losing valuable, sometimes irreplaceable, data. There are still 499 million unprotected PCs in the world, according to a study done by IDC [a technology intelligence research firm].
Q: Why do so many companies ignore the need for information protection? Are they unaware of the problem, or do they see the fix as too costly?
Brennan: Many companies don't realize how disastrous -- and how costly -- the loss of information can be until a computer hard drive crashes and they have to basically shut down for three days in order to recover. Some business owners believe that employees are backing up their data on hard drives and .zip files, but it usually turns out that the employees don't see that kind of assignment as "their job" and they're not doing it -- at least not as often as they should be.
And if a company does have a dedicated IT person -- and most small businesses don't -- he or she is typically so overwhelmed they don't think about checking backup until disaster strikes.
Q: So, how do small companies protect their computerized files -- and how much does it cost?
Brennan: Backup technology is available from most of the larger business software companies, including Veritas. Connected introduced small-business service a few months ago for companies that have between 5 and 200 PCs. It costs $70 -- $150 per PC annually, depending on whether you want everything backed up, or just certain business-data systems.
The program is completely outsourced and easy to install, and it provides remote backup and disaster-recovery technology. The most important thing is that it's automatic, so you don't have to rely on people who forget to back up their critical data for weeks, because you know that that is when the PC will decide to crash.
Q: Well, it's bad enough when employees can't be relied upon to do IT backup, but it's even worse when they steal. How are small businesses at risk from employee fraud?
Tumacder: The greatest risk is for cash-based businesses and companies that have one person responsible for balancing their books and handling accounts receivable. The Association of Certified Fraud Examiners estimates that occupational fraud and abuse costs U.S. companies and organizations more than $400 billion annually. And companies with fewer than 100 employees are the most vulnerable to fraud, losing on average $9 per employee per day, or an estimated 6% of total annual revenue.
Q: What kinds of prevention technologies are out there?
Tumacder: One way to insure that employee fraud won't go undetected is by investing in accounting technology that allows owners to put passwords and control mechanisms in place. With QuickBooks, and even with your Windows NT software, you can set up different users and passwords to protect your company data.
Look for accounting software with good user-and-permission structure that allows you to restrict access to payroll, allow only certain employees to print checks -- and disable the "delete" function so that those up to no good cannot cover their tracks. The problem is that a lot of smaller businesses don't take these precautions.
Q: Why not?
Tumacder: Well, a lot of owners are still computer- and Internet-phobic, so they do their accounting with pencil and paper and very little security. Many times, an entrepreneur starts a business alone and sets up the computer system just for herself, then doesn't take the time to institute security policies when she starts hiring employees.
What more companies are finding out is that they can save money now being lost to fraud by using technology like audit trails, that track accounting entries and changes, and instituting online billing, so that invoices are e-mailed to customers who then click on the link and pay the bill electronically. Anything a company can do to prevent cash and checks from going awry, the better. By Karen E. Klein