CYFOR – cyber security specialists, reports on the dangers of Heartbleed for businesses
15th April 2014
Heartbleed is a bug present in OpenSSL that allows hackers to eavesdrop on supposedly secure communications to uncover names, passwords and other personal information. Keith Cottenden, Director at CYFOR cyber security specialists, commented on the potential danger this poses to businesses:
“The severity of the Heartbleed bug depends on your business. If you are an e-commerce business or have your own website that contains customer data, then you need to know whether the vulnerable version of the particular product is relevant to you. This bug potentially affects about two thirds of all websites so it is significant.
“However, in terms of widespread panic we are not completely sure how it is going to develop yet. I would recommend waiting and seeing if the website a business is using has been patched or not before panicking – although I recommend people change their passwords regularly anyway. I would not panic; I would say change your passwords and don’t use the same passwords or an easily guessable password.”
“Anyone using OPEN SSL is vulnerable; if you can see is a padlock icon on a website then it is almost certain that a business has been affected in some way. Large organisations will know about it and won’t hang around fixing it; they will have dealt with this vulnerability already. The main worry is for small e-commerce sites that do not know they have been affected. Any business that takes customer details could be vulnerable because this encryption is designed to protect personal data.
“To remedy the situation small businesses could engage with a consultant and get a gap analysis to look at where they are with their information security. If they don’t have sufficient internal capability to do this, they need to bolt it on with some form of remediation. This is beyond the capacity of many small businesses however and they really need to consider bringing in a consultant.”
How businesses can respond
Cottenden continued, “Businesses need to apply mitigation now. If they get customers to change their password now, but the problem has not been patched, their old and new passwords could be at risk. Issue statements to customers, whether or not you are affected; use it as positive PR and be proactive. Businesses should not bury their heads in the sand, even if they are not affected. If you collect customer data, tell your customers the situation and be honest.
Customers’ legal grounds for suing businesses
“The data protection act is the main driver for this and now this vulnerability is in the public domain there will be no excuses and more grounds for redress. Clearly organisations may have suffered data breaches, but even though there is a sense of doom and gloom, we don’t yet know to what extent. People should keep an eye on their financial statements for the time being. They should also be aware of opportunists making the most of this by using fraudulent emails to try and obtain passwords etc.
“If an organisation knows that customer data has been stolen then data regulations state this must be reported. The Adobe breach, for example, had an impact on a lot of people, and there is no hiding these things anymore. This could become next week’s chip paper or it could become huge; we do not know the impact of this vulnerability yet. Some people are saying that on the scale of one to ten, this is eleven and the internet is on fire. This is really about the smaller businesses though. The bigger companies should be all over this.”