Help! Somebody Save Our Files!
Dustin Britt was working at his desk last Halloween when a huge explosion outside his window shook the building. The lights went out, and one of his co-workers screamed, "Oh, my God, I think we're going to die!"
But no one in the office was injured. The explosion had been caused by a car crashing into a telephone pole. Matchstic, the Atlanta design firm where Britt is a project manager, did lose power for more than a day. But it was prepared. Matchstic's computers either were laptops or had backup power supplies, which allowed them to be powered down without the loss of any work. And the company's servers are backed up once a day. Employees worked from home until power was restored, and a presentation had to be held in a nearby coffee shop, but otherwise the company was unaffected.
Other companies haven't been so lucky. No one comes to work expecting an IT crisis, but heart-stopping technical meltdowns happen every day -- important files get wiped out, or thieves get hold of sensitive data. And data disasters of all sorts hit especially hard at small and midsize companies, where file backups, data security, and sometimes even basic protections like antivirus software frequently get overlooked in the scramble to make payroll and meet project deadlines. We've put together a guide to help you handle and possibly prevent four of the most common IT catastrophes.
1. Laptop theft
Half of all organizations had a laptop or other mobile device stolen last year, according to a recent survey by the Computer Security Institute. And if the next stolen notebook belongs to your company, the replacement cost is the least of your worries. Most states have laws requiring businesses to tell customers when a laptop containing unencrypted sensitive data, such as Social Security numbers and credit card numbers, goes missing. Technology research firm Gartner estimates that each customer record lost costs a company from $150 to $250 in legal fees, notification costs, and other expenses. Plus, laptops often contain company intellectual property and other files that you wouldn't like bad guys leafing through.
How to respond: Your response depends on what you have done up front. For about $40 and up per laptop per year, services such as MyLaptopGPS and Absolute Software's Computrace LoJack for Laptops may be able to get the computer back. If you have installed one of these programs, the stolen machine will report its location to the authorities as soon as the thief connects to the Internet. Some services let you remotely wipe all data from the hard drive or will even covertly download files from the stolen laptop for you. If you don't have a tracing program, the best you can do is report the serial number to the police and the manufacturer and hope it winds up at a repair shop.
Preventive measures: In addition to installing tracing software, make sure to encrypt the hard drive. "If the data's encrypted, thieves can't use it, and you'll save yourself notice costs and bad public relations," says Randy Gainer, who deals with many privacy and security cases as a partner in Davis Wright Tremaine, a Seattle law firm. The enterprise edition of the Windows Vista operating system has an encryption feature, BitLocker, built in. Other encryption programs, such as PGP Whole Disk Encryption or Veridis' FileCrypt, can run about $50 to $120 per computer. Other tips: Record your laptops' serial numbers in a handy place. And advise employees to treat a laptop like a wallet. You wouldn't leave your wallet in the car, and you shouldn't leave your laptop there, either.
2. Hard drive failures
Shortness of breath, nausea, and intense feelings of dread. If you're experiencing these symptoms, you may be having a heart attack -- or you may be reacting to the death of your computer's hard drive. Sean Marx recently suffered through the latter. He's CEO and co-founder of Give Something Back, an Oakland, California, supplier of environmentally friendly office supplies. When he suddenly couldn't get his computer to turn on, he knew he was in trouble. Marx's computer holds very large spreadsheets that track the company's sales and accounting, and he is often the only person with up-to-date versions of those files. He hadn't backed up in six months, even though he knew better. "I very quickly had that sinking feeling," says Marx.
How to respond: If your IT team can't bring your computer back to life, the only option is to send the drive to a data recovery service, which can charge anywhere from several hundred to several thousand dollars to rescue your files. The services aren't always successful. In Marx's case, he spent $1,500 at a local data recovery shop, but almost all the files were corrupted. He was able to recover many files attached to e-mails that were archived on the company's server.
Preventive measures: Back up your hard drive often, and use online services such as Mozy, iBackup, or EVault, which charge monthly fees of about $10 and up per employee. That way, even if a fire or flood ravages your server room, the data will be fine. You could also swap your current hard drive for a system that uses two drives to store two sets of your data, otherwise known as a RAID. So if one of the hard drives were to fail, you would still have the other.
3. Virus outbreaks
"Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor." This is the error message, misspelling and all, created by a recent version of Gpcode.ak, a so-called blackmail Trojan horse. Gpcode.ak sneaks onto your computer, encrypts your files so you can't open them, and then demands a ransom for them. About eight years ago, in the heyday of virus outbreaks, malware writers seemed to compete for the most attention. Now, many virus writers have moved on to lower-profile -- and more profitable -- activities, like phishing, which tricks people into giving up their passwords, account numbers, and other personal data. Viruses remain one of the most common data problems, according to the Computer Security Institute.
How to respond: Many viruses can be contained or removed with antivirus software. The Gpcode.ak virus is an exception. However, Kaspersky Lab, which sells antivirus programs, recently released a free program, StopGpcode, that may help you unlock your files without capitulating to the blackmailers.
Preventive measures: Install antivirus software on all company computers and keep the virus definitions up to date. And make sure to back up your data frequently, just in case you need to revert to the last system-restore point before the virus hit. You can also use services like Postini, which, for about $12 per user per year, will remove viruses from e-mails before they reach your inbox. Companies of a certain size can try something called application whitelisting. Programs like Bit9's Parity, which is available for about $30 per computer for a minimum of 100 machines, allow only software approved by the IT department to run on employee computers.
4. System hacks
It's tough to keep up with hackers, because they are constantly finding new ways to infiltrate databases. In January, Davidson Companies, a financial services firm based in Great Falls, Montana, announced that a hacker may have been able to access personal data on its current and former customers. A handful of the estimated 226,000 affected customers have since filed a lawsuit. Davidson Companies would not comment.
Hackers often target financial companies. They also have an eye for e-commerce sites. In January, the Federal Trade Commission announced a settlement with Life Is Good, a Boston-based apparel maker. The agency criticized the company's e-commerce security after a 2006 incident, in which a hacker used an "SQL injection attack" -- an attempt to gain control of the database by typing code into areas like search boxes -- to grab customers' credit card numbers and expiration dates. The terms of the settlement require Life Is Good to beef up security and hire an independent security auditor to evaluate its systems for the next 20 years. The company declined to comment on the settlement, but an FTC representative says the agency learns about the cases it investigates through a variety of sources, including suppliers and customers.
Often companies don't even realize they have been hacked until well after the fact. According to a recent security report by Verizon Business, 70 percent of firms didn't know they had been hacked until someone else -- a customer or a bank -- reported suspicious activity.
How to respond: If you think there has been a breach, take action right away. Davidson Companies immediately took its website offline, hired a security firm to investigate, and contacted the authorities, the credit bureaus, and its customers. You'll need to do the same, and also contact your attorney, if hackers may have gained access to credit card numbers or other sensitive information. It has become the norm to offer customers a year of credit monitoring services, which can cost about $10 a month per customer. Brace for customer defections, lawsuits, and possible fines from the FTC.
Preventive measures: There is no foolproof way to stop all hacks. So make sure your website encrypts your customers' credit card numbers and passwords (as opposed to storing them in a readable text format, which is what Life Is Good did before the attack). That way, even if hackers get in, they won't be able to see the information. And make sure that you apply the latest security patches to your software to protect against known vulnerabilities. One in five hacks exploits a security hole that's been public knowledge for six months or longer. McAfee (NYSE:MFE) offers a service called McAfee Secure, which scans your website daily for known security vulnerabilities. The service starts at about $1,700 to $2,800 a year for sites with fewer than 30,000 daily page views. Sophisticated techies may also be able to create what's known as a honeypot, phony files and decoy servers that are used to trap hackers. It's sort of like leaving a fake pile of gold out in the open -- if anyone tries to take it, you will know the system is under attack.
More articles about IT security, disaster prevention, and data recovery services can be found at www.technology.inc.com/security.
For more on safeguarding sensitive data, including the Federal Trade Commission's 24-page guide for businesses, Protecting Personal Information, go to ftc.gov/idtheft/business.