Keep your small business safe: 10 tips
Someone out there might be pretending to be you. Or your company.
 |
Identity theft – and the hackers responsible for it – is a serious problem these days. About 10 million people a year are victims of identity theft, according to the Federal Trade Commission. But some criminals can’t leave well enough alone; they try to assume the identity of an entire company.
That’s what happened to Susan Joyce, editor of Job-Hunt.org, a career development Web site in Marlborough, Mass.
“My site is pretty well-known,” she says. “And it’s an employment-related ‘keyword’ term (which is) typed into search engines by people presumably looking for it.”
Without warning, one of her bigger competitors began buying ads with the keyword ‘Job-Hunt.org.’ At first she was flattered, but then, as the competitor began siphoning traffic away from her site, she grew frustrated. When another competitor decided to do the same thing, her was angry. “They were clearly diverting traffic and stealing Job-Hunt’s identity,” she says.
“Identity theft is a very big threat to small businesses,” says Al Marcella, a professor at Webster University’s School of Business and Technology in St. Louis. There are two kinds of identity theft, he says. “The theft of the business’s identify, or attempting to fool or to confuse an unsuspecting consumer into believing that they are dealing with a legitimate business. Or the theft of a consumer’s identity, which is used to purchase goods or services,” he says.
Here are 10 tips on how to keep your small business from becoming a victim of hackers and identity theft:
On This Page
1. Set up your defenses.
Do you have adequate firewalls and antivirus software to protect you from hackers who could steal your customers and company identity? “If you leave your doors open, eventually you will be robbed,” says Martin Rico, chief executive of Inspired eLearning, a San Antonio-based company that develops security awareness training programs for companies. “The same is true for your network. Hackers and identity thieves use automated programs to scan every computer on the Internet looking for easy targets.” A good Internet router will have an on-board firewall. But don’t forget to turn it on, he say.
Likewise, the best security software goes beyond standard protection to improve the performance of your computer. Windows OneCare, for example, protects against viruses, spyware, and hackers. It also backs up all your important files and tunes up your PC by routinely defragmenting your hard drive and compressing temporary files. Plus, it automatically downloads security fixes, the importance of which is discussed later.
Microsoft also provides security updates regularly.
2. Stay abreast of the threat.
A recent phishing scam in Brazil caused Web browsers to land on criminal sites that looked identical to well-known bank sites. The phishers used HTML e-mails encoded with malicious Trojan horse programs. If the security settings on a recipient's computer were too low, just opening the e-mail would make changes to an essential Windows component.
3. Encrypt everything.
Any sensitive data, or information that might help an ID thief or hacker, should be aggressively encrypted, says Lisa Sotto, a head of New York-based Hunton & Williams LLP’s privacy and information management team. “Encrypt all company laptops,” she advises. “And don’t allow the transfer of sensitive company data electronically unless it is encrypted.” Sotto also advises that you upgrade your systems frequently with the latest protective software to make sure your systems are as secure as possible. (For technology newcomers: To encrypt a computer is to assign a secret code that prevents unauthorized parties from accessing your data.)
4. Get help from your employees.
Human error, or lack of attention to detail, is one of the biggest risks to a company’s security, according to Steven Domenikos, chief executive of IdentityTruth, a security firm in Waltham, Mass. “There are some basic techniques that can be embraced by employees, like changing passwords periodically and using general security and software tools to ensure that their home computers are safeguarded against attacks and malicious programs,” he says. Hackers have created programs that are designed to grab information from your computer, without you ever knowing it.
5. Don’t store credit card numbers.
“Never, never, never,” says Richard Stiennon, chief marketing officer for Fortinet, a security software company in Sunnyvale, Calif. “You do not need it, the Payment Card Industry Standard forbids you to store them, and it’s too risky.” Plus, there’s one more reason you should avoid keeping credit card numbers: If you don’t have them, you can’t lose them. And a hacker or identity thief can’t get to them, either.
6. Buy a shredder – and use it.
Documents with confidential information can fall into the wrong hands when they aren’t properly disposed of, says Tim Rhodes, chief executive of WebArgos, a data security firm in Boise, ID. “I know this is basic, but I can’t overstate the importance of using a shredder. In one study we are about to publish, only 50 percent of United States employees are compliant with their company’s shredding policies.” One of the challenges faced by small businesses is home-based employees, who may not have a shredder and put sensitive documents in the trash.
7. Mind your mobile devices.
“A laptop computer is stolen approximately every 53 seconds and only three percent are ever recovered,” says MacDonnell Ulsch, director of technology risk management for Jefferson Wells, a Brookfield, Wis., company that provides internal auditing and technology risk management services. “A business executive on a flight recently placed a Blackberry on her seat while placing her briefcase in the overhead bin. In those few seconds, her Blackberry, which was unencrypted, was stolen.” He recommends reminding employees of the dangers they face when they travel with their mobile devices, and encourages them to report a loss immediately.
8. Run your updates.
Hackers are constantly discovering and exploiting new vulnerabilities in computer operating systems and networks. “Keep your systems patched,” says Bret Padres, director of incident response, at Mandiant, an information systems company in Alexandria, Va. “You should have Automatic Updates enabled on your Windows-based computers. As security fixes are released from Microsoft, your computer systems will be automatically updated.”
9. Research your Internet service provider.
Unfortunately, the company providing your business with Internet access can offer easy access to your private information. “Not all ISPs are created equal, especially in terms of their commitment to security,” says Roger Thompson, chief technology officer for Exploit Prevention Labs, a security software developer in New Kingston, Pa. His advice? Before signing up for service, ask if they’ve ever been hacked. “Just see what they say. If, for example, they blame their users for having their passwords guessed, that’s not a good sign,” he says.
10. Know what to do when it happens.
Have a security compliance plan in place, advises Judd Rousseau, chief operating officer Identity Theft 911, a company that develops identity theft resolution, education and deterrence products in Scottsdale, Ariz. “This is an inexpensive way to make sure you have addressed the areas where you need to make sure to have safeguards in place, as well as have a plan in case a breach does occur,” he says.
Implementing these simple strategies will make it difficult for an identity thief to steal from your company or customers. But Rich Baich, principal at Deloitte & Touche warns it only takes one careless employee to render all of these precautions meaningless.
Baich tells the story of a small real estate company that fell victim to identity theft. “The thieves assumed the business name and obtained business credit cards, business loans, business bank accounts and a tax identification number,” he remembers. Within a few months, the real company began receiving telephone calls from creditors and collection agencies.
The company filed police reports, hired an attorney and contacted three credit bureaus, trying to contain the damage. Iin the end, the identity thieves were found and arrested.
So how did they find the information they needed to pull off the crime? Turns out they didn’t even have to hack into the company’s computers to get the data. They found everything they needed in its dumpster.
 | Christopher Elliott |