Fighting Off Hackers: 5 Things You Need To Know

01/06/2011 06:18 pm ET | Updated Aug 02, 2011

Almost every day, it seems, we wake up to more international gossip disclosed by WikiLeaks and founder Julian Assange. And attempts to choke off support for the leaks have brought out the hackers. In December, for example, both MasterCard and Visa saw their websites invaded by WikiLeaks "hacktivists" after the companies blocked donations to the controversial site. Fortunately, customers' credit information was not compromised.

But other companies are far from immune to website hacking. McDonald's, Walgreens and Gawker Media have had their own problems with hackers recently.

If you're running a smaller business or personal website, you may feel a little safer, a little more under the radar, from hackers. Still, every business is susceptible to some extent, and while data on exactly how much businesses lose each year to hackers is hard to come by, estimates are in the trillions. The threat only gets bigger.

So what should you do if your website is hacked? Here are five things you need to know.

1. Stop what you're doing.
Being hacked is a little like entering your home or office and finding it burglarized. And just like that scenario, when you discover that your website is under attack, the hacker could still be lurking. "If you recognize your website has been hacked, the first thing to do is have your hosting provider suspend your site immediately so the hacker or attacker can't continue to leverage your website to distribute malicious software or steal sensitive data," says Sean Bruton, director of security at NeoSpire, a Web hosting company headquartered in Dallas.

2. Determine the scope of the damage.
After the initial shock wears off -- but hopefully before emotions, like rage, settle in -- you need to take stock of what the hacker has done. You can't possibly figure out what your next step is until you understand what the hacker's goal is. Are they just trying to make you look bad, by defacing the website, or did they manage to steal credit- and debit-card information? Or something else?

"Hackers are not necessarily looking for e-commerce sites only," says Carmine Morra, director of interactive media for The Donaldson Group, Instead, they may be "looking for easy access to gain e-mail lists." Meaning the hackers may have been after a free and easy way to build up their methods of spamming people. And if they did get into your customers' financial records, that, of course, is a much more serious problem.

3. Don't keep it a secret.
If you've been hacked, you've been hacked. Don't hide it -- not from your vendors, not from your staff and especially not from your customers. "They are smart and will understand that you're also a victim," says Mandeep Khera, an online-security expert with Cenzic, a Santa Clara, Calif.-based company that specializes in protecting businesses from hackers.

Audrey Gendreau, assistant professor of computer information systems at Saint Leo University in Saint Leo, Fla., points out that it's not just ethically sound business to contact everyone who may be affected by the cyber attack -- you're often obligated to, unless you want to run afoul of your credit card issuers and possibly the law.

"The Payment Card Industry represents a consortium of credit-card vendors that dictate how merchants must safeguard their credit cards," Gendreau says. "In accordance with this consortium, the business must notify the card holder immediately and contact the vendor when credit card information has been stolen. If the business was not in compliance with PCI when the breach occurred, they could be fined and lose their merchant status with the credit-card vendor."

Even if you aren't concerned about the fallout from your credit-card vendors, Khera adds that "many state laws, like California SB 1386 and AB 1950, require you to let your customers know if their information has been stolen."

4. Identify your vulnerabilities.
Granted, unless you know something about source code, this is probably a job for your tech team or hosting company. But it's a vital step in the process of getting yourself unhacked, since you've shut down your website, and it would be ridiculous to start it up again until you know what went wrong. Keep in mind, hosting providers won't accept responsibility for a hacker invading your website.

"Even if a business has a hacking monitor and prevention service, and its site gets hacked, the service provider won't take responsibility," says Morra, adding that it's similar to how security systems in a home or business work. "If you have an alarm system in your home, the alarm company won't accept the responsibility for your home if you get broken into."

5. Plan for the next attack.
Lightning can strike twice -- and so can hackers. "The fact of the matter is that bad things happen," says Bill Roth, executive vice president of IT data management company, LogLogic, an international firm headquartered in San Jose, Calif. "You will be hacked. You may have already been hacked and not know it."

So how do you prepare? "A rational organization will do three things," Roth says. "First, put up the best defenses you can. Second, implement the best people-processes you can. Finally, be ready to clean up and perform forensics when you do get hacked. It's important that you know what's going on inside your network since the majority of threats come from the inside."

The original version of this article appeared on AOL Small Business on 1/6/11.

Suggest a correction