Defending Your Data

If you think your company can afford to take computer security lightly, make a road trip to Framingham, Mass.-based TJX Co., Inc., and ask them about recent happenings involving the company’s computer network. TJX, which owns several of the most popular chain discount retail stores in the United States, will give you more than 45 million reasons that’ll likely change your mind and make you start thinking seriously about beefing up the security on your computer network.

Disclosed in a Securities and Exchange Commission (SEC) filing in late March of this year, TJX indicated that more than 45 million customer’s credit and debit card numbers were stolen from its IT systems over an 18-month period, making it the largest customer data breach on record.

TJX believes that hackers breached its network and loaded unauthorized software onto the computers used to process and store transaction data, making off with over 100 files filled with data from millions of customer accounts. The company thinks that these hackers were able to steal card information from its headquarters while transactions were being approved. Also, the company believes that hackers were able to access encrypted files because they had gained access to its decryption tool.

TJX recorded a fourth-quarter charge in 2006 of approximately $5 million to cover the costs of containing and investigating the cyber theft, as well as patching the holes in its IT systems, communicating with customers and paying legal fees. However, that marked only the beginning of a slew of challenges to come, as the company was hit in late April with a class-action law suit seeking “tens of million of dollars,” by several large financial institutions.

Fraud Raises Awareness
TJX has — whether executives like it or not — become the poster child for customer identity theft because of its lack of attention paid to computer security. The breaching of its network is prompting business owners on all levels to open their eyes to the possibility that it could happen to anyone.

Steve Epner, founder of St. Louis-based business consulting firm Brown Smith Wallace Consulting Group, says that it is impossible to protect your company from everything.

“No one can be 100 percent protected unless they disconnect from the Internet,” Epner explains. “Even Microsoft and the U.S. government have been hacked. If they can’t spend enough money to protect themselves, you can’t completely protect your company.”

Brown Smith Wallace has a team of IT specialists on staff, who Epner refers to as “professional hackers.” They perform penetration and vulnerability assessments for companies of all sizes, which helps determine weak points in their infrastructures. With aim towards network connected devices, the team works feverishly at gaining access into a company’s network and showcases the sensitive information that companies are leaving ripe for exposure.

“Their job is to see how easy it is to break into your system,” Epner explains. “And then they will give you a report and let you know how easy or difficult it was to break in and what you can do to protect yourself.”

Epner says he’ll never forget how, four years ago, a well-known company challenged his up-and-coming team, by guaranteeing they couldn’t break into its assumed impenetrable network.

“We made a bet,” Epner explains. “If we can’t get into your system, we’ll write you a report for free that says we couldn’t get in. But, if we do get into your system, you’ve got to spend some money with us for remediation.”

The two sides agreed to the deal. “We broke their first password in three minutes,” Epner says. “But it did take overnight to take over their server.”

Even though it took all night to crack the company’s server, Epner’s team was still able to gain access into the company’s network. Fortunately for the company, its bet with Brown Smith Wallace paid off as Epner’s team helped patch up the company’s gaping security holes and helped build a stronger secured network.

Impenetrable?
Many business owners operate with the perception that, because they spend a certain amount of revenue on security, their network is impenetrable. This isn’t the case, notes Epner.

Companies have to understand that their system is likely not secure no matter what price they pay, and that it’s probably not that all difficult for outsiders to breach.

“You can spend a good deal of money, but for most distributors out there — except for disgruntled ex-employees or ex-spouses — your biggest fear has got to be that somebody just picked you for practice,” Epner explains. “Lets face it, if I shut down the ‘XYZ Trading Company,’ it’s not going to make a reputation. I’m going to make a reputation by shutting down AT&T, but I might use you for practice.”

Small business owners recognize the high risk of being used as test dummies and are protecting their interests by securing their computer networks, whether it’s by enhancing their own in-house IT staff with professionals or by outsourcing their IT to multi-million dollar software companies.

Ed Hildreth, co-owner of Sound Janitorial Supply, Tumwater, Wash., says he stays up on current trends and security threats affecting the business community, but chooses to outsource his company’s IT to a well-known software company because of the added insurance it provides. But, Hildreth says even though his IT is managed by technology gurus, he understands that his company’s network could still be a target.

“I really believe that any kind of sophisticated hacker can probably breach our system,” Hildreth says. “What we rely on is that we have enough firewalls and passwords in place, that they give up and go somewhere else. If they can breach these multi-million dollar companies, they can breach ours. But we just hope to make it more difficult.”

Exposing Sensitive Info
No company wants its sensitive business information exposed, but many businesses are careless enough to let it happen. The main reason small to mid-sized businesses let it happen is because they don’t take the necessary precautions and don’t have IT professionals on site to guide them in the right direction.

Mark Newhouse, CEO of Laymen Global, Monmouth Junction, N.J., says his company doesn’t keep any sensitive data on its hard drive, so that in the event the company’s network was breached, his company wouldn’t be jeopardizing crucial business and customer information.

“We don’t want anybody to have access into our financial information or our customer lists,” Newhouse says. “Any part of our software is proprietary. We don’t want anybody to have any of that information, so we don’t keep anything on our hard drive that can be stolen.”

Newhouse says Laymen Global’s financial information, customer lists and company information does not reside on it’s hard drive, rather, it’s protected off- site by a software company.

Hildreth says his company backs up its sensitive business and customer data off-site as well, and assumes that the software company it uses is prepared for potential risks.

“We are making the assumption that they have the protection and they have gone through those kinds of mock attacks,” Hildreth says. “Not only is customer data on our hard drive, but all of our company data is on there, including employee birth dates, social security numbers and all those kinds of things.”

Hildreth says that even though his company outsources its IT, he works closely with the software company on a regular basis to stay informed on recent happenings.

“We talk to our computer person probably every six weeks to two months and find out if there is anything that they recommend, like improved firewalls, password hints and those types of things,” says Hildreth. “I’m aware that people out there are always using more sophisticated methods to change their ways, so we try to stay up on it.”

Defeating, Not Deleting
Many people believe that once a file is moved to the trash or recycle bin on a hard drive and emptied that the file is deleted permanently from the computer’s hard drive. This is a misconception that poses a potential risk for a company if that file includes company data or customer information, especially when the hard drive is disposed of, sold or donated.

Stephen Lawton, strategic marketing manager for Acronis Inc., a disk wiping software supplier based in Burlington, Mass., says he can’t emphasize enough that simply deleting a file, a partition or reformatting a disk is not secure.

“Those are inadequate file removal strategies,” Lawton explains. “The only way to ensure that you’ve gotten rid of data is to overwrite it multiple times with a quality disk wiping application. But it’s got to meet a minimum of three overwrites. More is better, but it takes more time.”

Recovering hardware with sensitive business information from a trash bin is not that all uncommon. Businesses must take into account that when disposing, selling or donating old hardware, that all information from a computer’s hard drive is wiped clean. Lawton says it’s an issue that many companies don’t think twice about.

“The idea of migrating from one network drive to another and what you do with your old hardware, that’s an issue that everybody faces whether you’re a Fortune 500 company or you’re just a small ‘mom-and-pop’ store,” Lawton says. “It’s really a critical issue and quite frankly a lot of people just don’t think about it.”

Epner suggests that if a company does not feel secure donating old hardware or throwing it in the trash after wiping the hard drive clean, that the company remove the hard drive and destroy it. “If you’ve got data that needs to be destroyed, destroy the hard drive,” he stresses.

Epner says that when Brown Smith Wallace donates old hardware, the IT staff removes the hard drives because they believe purchasing a new hard drive is relatively inexpensive compared to the price associated with the exposure of sensitive information that was on that hard drive.

When it is time for a hardware upgrade at Laymen Global, it keeps its old hardware on-site as secondary computers. If the company were to dispose of old hardware, it would take the necessary precautions and ensure the hard drives were wiped clean several times.

“Old computers become secondary computers around the office, but if we were going to get rid of computers, we definitely would wipe it clean with some sort of software program that really does wipe it clean, rather than obviously just putting it into the trash,” says Newhouse.