It Happened To Me: My Small Business Was Hacked!

Last September, shortly after the attacks on the U.S. diplomatic compound in Benghazi, a company tweeted me that they were going to make our site, SmallBizDaily.com, their “small business resource of the day.” My joy was short-lived when the next morning they tweeted that my site had been hacked.

I quickly checked (it was still early morning on the West Coast, where we’re located) and sure enough, instead of the usual array of small-business content I was greeted by an unfamiliar image of a Middle Eastern-looking man, Arabic lettering and a video about the glories of Allah. I blinked, gulped more caffeine and reloaded the page. No luck — the image was still there. “We’ve been hacked,” I muttered, still not believing what I was seeing.

Weeks Of Agony - Months Of Work

Then followed two weeks of agony and struggle as our Web-hosting company worked to deal with the situation, while also helping their many other small-business clients who had been hacked as well.

It seems someone had placed malicious code on our site that lay dormant for months -- and only popped up that morning. “It was like cancer,” recalls my business partner, who dealt with the situation. “To make sure [the code] was really gone, we had to clean out all of the files we had loaded since the initial hack.”

Months of work was wiped out — and every time we thought it was fixed, the hack popped up again. I was repeatedly embarrassed; it seemed every time I would tell someone (including the company that originally told me about the hack) the site was fine, within minutes the hack would reappear. We then had to delete and reload more files, more times than I care to remember.

We Were Lucky!

Believe it or not, my company was one of the lucky ones. David Maman, founder and CTO of database security company GreenSQL, said our hack was the “old-fashioned” kind.

“Five or 10 years ago, the purpose of hacking was defacement,” explained Maman, an international expert in computer security who has founded seven tech companies. “It was very obvious when you were hacked — a friend would call and say ‘Hey, what’s going on with your website?’ Today, with a successful SQL injection hack, there will be no sign that someone has retrieved your entire database.”

How can you be hacked without knowing it? If it can happen to Sony and LinkedIn, he said, it can certainly happen to your small business.

Tech Startups Especially Vulnerable

Ironically, tech startups — with their low budgets, long hours and cocky techies coding day and night on their personal laptops and mobile devices — may actually be more vulnerable to hacks than less tech-oriented businesses.

Changes in the nature of business have affected how hackers operate, said Maman, “Everything is about online today, and almost every [business] is providing some type of online service or app. As a result, the line between internal and external data is blurred, and all of your information is exposed.”

You might think you have nothing to worry about if you aren’t selling products or collecting card data online. Think again, he says, who explains that most hack attacks today are completely automated. “They don’t even know who you are — they just check websites for vulnerabilities, and if they find them, they will attack.”

In fact, ecommerce companies or other businesses that collect customer credit and payment data may be less at risk of hacking because they must be PCI (Payment Card Industry) compliant. “These regulations are actually beneficial,” said Maman.

What if, like so many small business owners, you simply provide a free app or service? All you’re collecting from customers is their registration information, which could be as simple as their name and email — so what do you care if it’s compromised?

“Data is the new currency,” he warned — and that includes any type of data, not just financial information.

Maman explained that hackers may manipulate customer data to inject malicious code that serves up competitors’ information instead of your own, penetrates the customer’s computer, or worse.

“It’s not about losing information — which may not be worth that much — but about harming your customers, hurting your brand and destroying your reputation.”

If a customer’s computer gets infected after using your service, are they likely to return? Worst of all, you won’t even know your business has been hacked until it slowly withers and dies as customers fade away.

What To Do If It Happens To You?

“If in the past it was a big taboo to let customers know that you’ve been hacked, today it’s not,” he said, citing LinkedIn as an example. “Letting your customers know won’t hurt you — it will show that you’re being responsible.”

Ask them to change their passwords on your site and on any other sites where they use the same password. Apologize; then explain what measures you will take to make sure the hack won’t happen again.

Beef Up Your Defense

Those measures should include three key steps:

1. Secure your coding. “Most of the basic attacks, and even some of the more advanced ones, are due to unprofessional coding,” said Maman. “There’s a lot of information online about how to secure coding.” Educate yourself and take the steps.

2. Harden your computers at the operating-system level, applications level, server level, network-access level and even the individual customer level. Hardening essentially means eliminating unnecessary software, restricting access and otherwise blocking everything that is not essential. “Hardening documentation can be found online,” he said.

3. Use free and open-source software. Security doesn’t have to cost a lot for a small business. “ModSecurity is a free, open-source Web application firewall,” said Maman. “GreenSQL Express is our free database firewall.”

Most of all, pay attention to security. Without the money for a dedicated IT security staffer, your team needs to be even more responsible than big-company employees about what’s running on their devices.

Don't worry; security doesn't have to be a business killer.

“People think of IT security as a hassle, a lot of work and a waste of time,” he said. “That’s not the case. Just one day’s work can increase your security level 100%.”

 

Image courtesy of Shutterstock.