Even with the best security in place, your company's network or web site might still get hacked. As one security consultant noted, you're in an arms race, and the other guys are the ones inventing the new weapons, so it's not unlikely that you'll get hit. It's nothing to be embarrassed about -- it even happens to professional security firms. Symantec, for instance, was a recent victim. So was Ken Conquest, an owner of TechroDyne Inc., a network security software firm based in Euless, Texas. Some vandal decided to hack into his Internet connection and bombard him with so much fake traffic that he couldn't even send an E-mail to a client. "We couldn't do any business anyway, so I just shut down the link and hoped the hacker would get bored when he couldn't disrupt my business anymore."

Conquest does a lot of business over the Internet, since people buy and download TechroDyne's software product from its Web site. So, shutting down the link for a couple of days was a serious disruption. But Conquest knew it was too risky to leave the link open -- the hacker might have dug up information about his business on the server. "You never know if the hacker is just a vandal, or someone trying to seriously damage your business, so you don't take chances," he says.

You need a plan before a hack occurs so you can minimize the damage -- then worry about plugging the hole and perhaps catching the perpetrator. If necessary, pull your server off the Web until you get the situation under control.
Here's the basic checklist of what to do if you get hit:

• Do not correspond via E-mail to anyone about the hack via a system that's compromised. Don't keep any electronic information about it at all. Hackers systematically do surveillance to see if they've been detected, giving them a chance to hide their tracks or alter tactics.
• Have a list of phone numbers handy for your web hosting service, technical staff, web security company, police, and the national Computer Emergency Response Team (CERT for short, 412-268-7090 www.cert.org). The latter is a federally funded SWAT team with roots in the defense industry that monitors hacking incidents and provides technical assistance. Check the web site for resources, including tips on detecting and recovering from intrusions.
• Notify law enforcement. A lot of people are worried about embarrassment and spin control. But the FBI says they'll keep the security hack confidential unless there's a trial.
• Secure and preserve all evidence. That includes logs, original files and copies of the damage they did, along with financial records.
• Identify the origin and time of attack, if you can. Your site administrator can do this. If you don't have an administrator, a computer-security company or an FBI or CERT agent can walk you through the process over the phone. Keep detailed and dated notes of what occurred.
• Prepare for repeat attacks. Make sure network-monitoring software is installed and functioning (more on that below).
• Do a cost evaluation -- property, time, cost of buying new computer equipment and hiring a private security consultant if you don't already have one. Adjust your tech budget accordingly.
• Take care of your staff. Entrepreneurs who've been through such attacks know they can hurt morale. People will be worried that personal information might have been disclosed, so you may need to take measures to make them feel physically safe, such as changing locks. And everyone knows or soon learns that insiders are prime suspects in a hack, so it's important to reassure people and make them feel comfortable with each other again once the source of the attack has been located. You may need to give an off-site barbeque or other social event to promote bonding. Or just give people some time off. One victim notes that repelling a hacker boosts the workload tremendously, leaving everyone at a small company exhausted physically and emotionally.

The tools include easy-to-purchase software such as network-monitoring software and network sniffers, which literally go out and sniff for suspicious behavior, such as someone trying 10 different passwords to access a file. Monitors and sniffers usually comes bundled when you buy a $1,000-plus firewall; in fact, you shouldn't buy a firewall product that doesn't include it.

The monitoring component simply records all the traffic on your network -- who is logging on, from what computer, what time they are on the network, what files they access. It provides a an electronic paper trail, and is useful for much more than locating thieves and vandals. For instance, it tells you if there's gridlock on your network, and what servers are being overused --that tells you the source of the gridlock. Don't worry if it all looks like digital gibberish to you. "Even if you can't make heads or tails out of the techno report the monitoring software gives you, a security expert can," says Bill Hancock, a consultant to the FBI on network security. Collectively, the records will give authorities a better chance of finding and shutting down your attacker.

As for preventive steps, Chuck Shih at Gartner Group recommends carefully scrutinizing any ISP, Web-hosting service, or network consultant before hiring them. "Especially if it's a Mom 'n Pop local service provider, make sure they have firewall technology in place on every server on their own network, secure socket layers, encryption, as well as network monitoring software that lets them constantly observe the traffic on their network," he says. And don't, under any circumstances, hire a company that doesn't specifically have a network security expert on staff. You may end up paying a little more for an established regional or national ISP instead of your local, "personal-service" provider, says Shih, but it's worth it. And remember the old-fashioned, offline safeguards. "Don't take hiring network people lightly," Shih says. "Get references and check them out thoroughly."

By Rivka Tadjer