In March, Hannaford Bros., a Scarborough, Mass.-based supermarket chain, announced someone had hacked into its computer system and exposed 4.2 million debit and credit card numbers, resulting in more than 1,800 fraud cases. Affecting customers in five different states, the data breach underscores--via a very public example--the need for robust network security for all companies regardless of size. Michelle Drolet, CEO at Towerwall Inc., a Framingham, Mass.-based provider of advanced information security solutions, attributed the problem at Hannaford to malware, a program or file designed to specifically damage or disrupt a system. "The hackers were able to use computer code to infiltrate the system and capture the sensitive data," Drolet says. Hannaford isn't alone in its plight. According to Scott & Scott, L.L.P., a Dallas-based law and technology services firm, 85% of businesses have experienced a data security breach, and of those, fewer than 43 percent had an incident response plan in place. The results can be devastating: Seventy-four percent reported a loss of customers, 59% faced potential litigation, 33% faced potential fines, and 32% experienced a decline in share value. Midsized firms are particularly vulnerable to network security breaches, Drolet says, because most don't have security personnel or engineers on staff to serve as a "second set of eyes" for their networks. Without that layer of in-house security, Drolet says, companies can quickly become victims of criminals who are looking to corrupt, steal, and share critical information stored on networks. Take passwords, for example. According to Bill Carey, vice president of marketing at Siber Systems Inc., the developer of password and identity management software RoboForm, every new password that is issued can effectively decrease the level of network security for a company. And when employees start writing them down, the security becomes even more lax. "It can turn into a conundrum pretty quickly," Carey says. Add in the fact that many companies offer remote access for employees, trading partners, and other entities, and the situation becomes even more complicated. "It's an issue that companies of all sizes are dealing with as they strive to make information more accessible to employees." To avoid such calamities, Drolet says companies should use a system of "evaluating, establishing, educating, and enforcing," beginning with an internal look at exactly what you want to protect." For example, is it intellectual property related to human resources or engineering applications? Is it sensitive customer data or employee information? Once you have decided what you want to protect, look at those areas carefully to find out how they can be compromised, Drolet says. A company that has a high number of trusted relationships with other firms that tap into its data are advised to look carefully at patches, firewalls, and anti-virus technology located at those shared gateways. "Poke holes at the critical areas to see just how someone can break in," Drolet explains. She adds that once those holes have been identified, the next step is to create a remediation plan to protect those critical areas. The third step involves educating managers, employees, customers, and vendors about the stepped-up security measures. "Remember that your users are the weakest link in any security strategy, so put user awareness into play," she adds. Companies also should put together a budget for information security, just like they would for functions like sales, marketing and advertising. Carve out a specific percentage of annual revenues to be dedicated to the cause, and use those funds to hire the appropriate personnel and/or outside IT experts, purchase the necessary equipment and enforce network security policies. Finally, Drolet says, midsized firms need to be realistic about the task at hand. "Everything can't be fixed at once," she says, "so prioritize in a way that allows you to hit the most critical areas first, and then expand your security strategy from there."