Rules for protecting financial data in a small company

Who actually sees your spreadsheets?

In small companies employing from 7 to 12 people, there is often too loose an atmosphere regarding documents. Owners keep all data about material purchase costs and subcontractor rates in one file on a shared drive. This is a mistake that backfires the fastest. In September 2024, we analyzed the case of a transport company where a newly hired logistics specialist had full access to the margin history from the last 4 years. After leaving for the competition, he took this data with him, resulting in the loss of 3 key contracts in less than 19 days. Security first means that access to financial data must be rigorously restricted.

The rule is simple: access to margin spreadsheets should be held by a maximum of 2 people in the company besides the owner. There is no reason for a salesperson to see your product manufacturing cost or the amount of commission for external partners. At Korporacyjna Racja Stanu, we recommend dividing documentation into segments. The salesperson sees only the sales prices, and the operational accounting only the cost invoices, without insight into strategic profit summaries. Such a division of roles protects the company's capital from uncontrolled leakage of knowledge, which is the foundation of your market advantage.

If everyone in your company can check how much you earn net, then you really don't have any trade secrets anymore.

Digital hygiene is not just difficult passwords

Many people believe that changing a password once every 6 months solves the security problem. That's not true. The real threat flows from using private computers for business matters. In one of the Wroclaw construction companies we worked with, the head accountant logged into the banking system from a laptop on which her teenage son installed free games. The effect? A leak of data for 14 pending transfers. We protect your capital by making people aware that company equipment must be separated from private equipment with a thick line. It's not about expensive systems, but about iron discipline in the daily use of work tools.

Introducing two-step verification when logging into company email takes about 4 minutes and blocks 91% of unauthorized access attempts. Every employee should have a separate account with 'read-only' permissions in places where they don't need to edit anything. Remember that the weakest link is always the human. Therefore, once a quarter it's worth conducting a short, 15-minute audit of who and from where logged into your resources. If you see a login from another city in the night hours, it's a sign that you must act immediately before your account is cleared to zero.

Relations with the accounting office under control

An external accounting office is your partner, but also a potential source of risk. Many small companies transfer documents in a chaotic way – through unencrypted emails or leaving folders in open receptions. In March 2024, we recorded a situation where the payroll data of 22 employees ended up by mistake with another client of the office. This caused a huge internal conflict and demands for raises that almost led to the collapse of the production plant. Korporacyjna Racja Stanu emphasizes that communication with accounting must take place exclusively through dedicated, secured data transfer channels.

The contract with the accounting office must contain specific provisions on financial responsibility for data leaks. General formulas about personal data protection are not enough. You need precise terms and amounts of contractual penalties that will compensate you for potential image and market loss. We also recommend checking the physical safeguards in the office itself at least once a year. Are your invoices not lying on a desk to which every courier coming from the street has access? These are real problems that are rarely talked about and that decide your business's stability in difficult times.

Non-Disclosure Agreements (NDA) for employees

Signing a standard NDA template downloaded from the internet gives only a false sense of security. Most of these documents are too general to defend in court in Wroclaw or Warsaw. An effective confidentiality agreement must precisely define what is your company's secret. Is it a list of 47 suppliers from Italy? Or maybe a specific way of calculating man-hours? If you don't call things by their names, an employee after leaving for the competition will always say that they 'didn't know' it was a secret. Numbers don't lie – a well-formulated NDA can block unfair competition as early as the pre-court demand stage.

At Korporacyjna Racja Stanu, we suggest that these agreements be refreshed with every promotion or change in an employee's scope of duties. This is particularly important in sales and purchasing departments. If your salesperson operates on margins of 23-31%, they must be aware that revealing these values to the competition involves a specific financial penalty, e.g., in the amount of their 6-month salary. This is not a lack of trust; it is rational protection of a lifetime's achievements. People come and go, but the stability of your company must remain untouched regardless of staff rotation.

An NDA agreement without a specific financial penalty entered is just a piece of paper that will stop no one from stealing data.

How to tighten the circulation of physical documents?

In the era of digitization, we often forget about paper, and it is paper that most often 'escapes' from the office. A turnover summary for Q2 2023 left on a printer is a classic example of negligence that happens in every other company. Introduce a clean desk and clean printer rule. All documents containing financial data must land in a shredder with an appropriate security class (minimum P-4). Ordinary strip-cut shredders are a thing of the past – assembling such a document takes a determined person about 35 minutes. We protect your assets by paying attention to such details that others ignore as insignificant.

Locking cabinets with documentation is an absolute basic. The key should be held by only one, designated person responsible for the archive. We recorded a case where a cleaner from an external company photographed financial documents lying in the open in the president's room. She didn't do it for the competition, but out of pure curiosity – however, these photos could have ended up anywhere. Effective data protection requires implementing a clean desk policy. Every document that is not needed at a given moment