Massive global companies have recently found themselves the prominent victims of hackers.
Sony’s PlayStation Network was taken offline for about a month after an attack that compromised its 77 million users’ personal information. In April, the email marketer that handles customer communications for companies including Kroger, Capital One and JP Morgan Chase was hacked.
With companies of such size and resources victimized, what can small businesses do to protect themselves?
First, you must understand the problem. Hacking comes in many forms, such as viruses, malware, password attacks, spoofing, phishing and distributed denial of service attacks, commonly called DDoS.
The two most common attacks are viruses and DDoS. Viruses copy themselves onto your customers’ computers, while DDoS prevents your customers from reaching you because hackers bombard your site’s servers with visits and overwhelm it to the point of not functioning.
The most concerning of these issues is data theft, as it’s costly to resolve and can damage the trust between you and your customers.
Sarah Granger, founder of the Center for Technology, Media and Society and a network security expert, said many companies think they’re saving money by not investing in network security. But it’s just the reverse, as it costs more to be reactive than proactive.
According to a recent study on the Center for Technology, Media and Society by researcher Ponemon Institute, data breaches cost U.S. companies $204 per compromised customer record in 2009. Data breaches caused by malicious attacks were more costly to resolve.
As a business owner, your goal should be to prepare. Granger strongly urges companies to create disaster recovery plans so that if their data or sites are compromised, they already know what to do.
Businesses should store their data securely and make sure not to save anything from customers that they don’t really need. Businesses need to make sure they have the most updated security software, well-configured firewalls and updated operating systems, as well as backups and redundant backup systems. This also includes patches to platforms such as the WordPress blog provider.
If you are the victim of an attack and data has been compromised, these backups will help you restore access after collecting whatever information you can about the break-in. Granger suggests companies follow up with the police and likely the FBI to attempt to catch the perpetrators. Usually that won’t happen, but filing a report, at the least, is important.
Businesses will also need to notify people in their database of the breach. About 45 states, including Indiana, North Carolina, Ohio and Tennessee, have data breach notification laws requiring companies to notify affected individuals that their personal identifiable information has been obtained by outside hackers. Kentucky does not have such a law, but it is a good practice to notify your consumers regardless.
This all may be overwhelming to a business owner, and that’s why you should seek professional assistance. For small organizations, Granger suggests an intermediate consultant is typically enough. There are firms that outsource help, and it’s affordable. For larger organizations, she says, it’s important to have a very sharp information technology staff that also understands security. Usually any good IT person will have a background that includes security.
While no one is hacker-proof, including large companies like Sony, you can guard yourself with sound computer practices.
This column was originally published in the Center for Technology, Media and Society on Monday, May 30, 2010.